Category Archives: continuous fraud auditing - Page 2

Exploiting the Dual

businessmeet1Many of today’s CFE’s hold dual certifications as CPA’s, CIA’s, CISA’s and a host of others.  This proven enhanced expertise endows the employers of fraud examiners engaged as full time corporate auditing staff with a whole host of new and exciting fraud detection and prevention capabilities.  This is especially true of corporations whose operations are daily fraud targets.  Rather than dealing with the infrequent single instance of fraud, as is most often the case in conventional CFE practice, these staff practitioners endow their employers with enhanced power in the task of devising investigative and preventative approaches to cope with random, most often automated, fraud attempts arriving on a recurring basis, twenty-four hours a day, 365 days a year.

One of the most effective innovations that dually certified CFE’s can bring to bear in such dynamic fraud environments involves some version of a mixture of continuous monitoring, continuous fraud auditing and continuous assurance. As the external and internal auditing professions view the first of these general concepts, continuous monitoring constitutes a feedback mechanism, primarily used by management, to ensure that systems operate and transactions are processed as prescribed. For example, as one of hundreds of possible examples, management might mandate that its staff CFE (s) periodically monitor the key fraud prevention controls that ensure that customer orders are checked against credit limits to ensure that the controls remain in place and aren’t deactivated.

Continuous auditing for fraud has been defined as the collection of evidence concerning fraud scenarios, by one or more examiners, on systems and transactions, on a continuous basis throughout a temporal period. For example, the staff examiners could routinely extract details of any unusually large adjusting journal entry for investigation, validate the reasons for the entry, determine whether it had been approved, and document these findings. The historical case file of irregularities will be built up from this and like evidence and from its related investigation, as will the examiner’s knowledge of the landscape of on-going fraud threats confronting the business.

Continuous fraud control assurance can even provide a concurrent or on demand assurance opinion on systems or transactions. A continuous opinion could represent an examiner’s or auditor’s opinion that overall fraud prevention controls are operating satisfactorily, unless a report is given to the contrary (often referred to as an ‘evergreen’ fraud control report). On-demand assessment concerning the functioning of key anti-fraud controls can be called for at any time to provide a spot evaluation at a point that does not necessarily coincide with a fiscal year or month-end. For example, a potential investor or lender might want to know the state of a company’s fraud prevention controls on the day that he/she makes a final investing or lending decision. Although these types of control assessments are still relatively rare, it’s possible that, given the pervasiveness of fraud in some heavily automated financial industries, the demand for this type of assessment may accelerate in the future.

Each of these three elements are built upon (and depend on) the one that precedes it. A continuous process of fraud assessment needs continuous monitoring systems to be in place to be effective. These monitoring systems provide the evidence to be collected and assessed upon which to build management assurance.

One of the biggest benefits of a program of continuous fraud control assessment is the beneficial effect it can have on an employing organization’s overall fraud control program. It’s obvious that, with continuous assessment, any key fraud control failures are detected and fixed as soon as they occur, bringing the effectiveness of the failed controls again more closely into conjunction with management’s expectations.  An additional plus for the continuous fraud control evaluation approach is that it provides early warning of problems; employing management can be apprised of a control failure as soon as it happens, providing maximum rectification time. Early warning reduces rectification downtime for the control. The objective is for the external auditors, when they later perform their checks, to find that the control weakness identified by the staff fraud examiner is now corrected and the corrected control operative as of the sign-off date, thus avoiding audit points.  One more advantage conferred by the presence of a dually certified fraud examiner on the audit staff is that many of the controls critical to the anti-fraud program can be fully automated under the CFE’s supervision and thus lend themselves to a continuous review approach. This proactive ‘no surprises’ approach to fraud control should be attractive to all organizations considering employing those holding the CFE certification as either staff auditors or security professionals.

What does it take for management to get this fraud prevention approach off the ground?  First, hire more dually certified CFE’s.  Next, automation is key to the program’s success, especially emphasizing data mining and analytics. Technology that can speed up communication is also needed, because there is no value in identifying an issue quickly if it is not communicated equally quickly to those who need to know about it. Continuous auditing for fraud includes continuous monitoring and reporting by exception on problems that arise. Therefore, the control environment of the employing organization must be at least good enough to ensure that the number of exceptions detected is not initially overwhelming. If anti-fraud controls are at a semi-mature level of effectiveness, however, there is really no reason why, with effort, a continuous assurance approach can’t work.

In setting up continuous audit tests, CFE’s must understand what can go wrong and know what they are looking for, in advance; this is a point where dual certification as an experience CPA or CIA is a plus in guiding the testing process and for creating the business rules for detecting exceptions and understanding them. This latter point is no trivial matter since something that could seem an exception under one set of circumstances, can be perfectly normal under a different set and trained financial assurance professionals know the difference.

Creatively employing their dually certified CFEs in an enhanced fraud detection and prevention effort based on the continuous audit approach confers several benefits to any management while enhancing the fraud prevention program:

–Creation of a database of the most frequently occurring fraud scenarios coupled with the most effective audit approaches to investigate and resolve them;

–Development of tailored data analytics and investigative tools for common fraud scenarios; auditors can get the fraud related data they need when they want them;

— Faster and more thorough fraud examinations and greater depth of audit for the same cost;

— Investigation and resolution of fraud related issues as they occur is a proven proactive approach demonstrating an enhanced level of management due diligence;

— The entire audit staff can have more alternatives in the way they perform fraud related work, including reliance on preventive controls like front end systems edits which prevent fraud be screening out transactions likely to contain fraud on the system’s front end.

–Because fraud related auditing is more effective it becomes more visible for those being audited both within and without the enterprise. Senior management has first-hand knowledge that auditors are ‘on the case’ even if they do not see them every day of the week. This visibility can also act as an additional deterrent to frauds, both internal and external.

Where the Money Is

bank-robberyOne of the followers of our Central Virginia Chapter’s group on LinkedIn is a bank auditor heavily engaged in his organization’s analytics based fraud control program.  He was kind enough to share some of his thoughts regarding his organization’s sophisticated anti-fraud data modelling program as material for this blog post.

Our LinkedIn connection reports that, in his opinion, getting fraud data accurately captured, categorized, and stored is the first, vitally important challenge to using data-driven technology to combat fraud losses. This might seem relatively easy to those not directly involved in the process but, experience quickly reveals that having fraud related data stored reliably over a long period of time and in a readily accessible format represents a significant challenge requiring a systematic approach at all levels of any organization serious about the effective application of analytically supported fraud management. The idea of any single piece of data being of potential importance to addressing a problem is a relatively new concept in the history of banking and of most other types of financial enterprises.

Accumulating accurate data starts with an overall vision of how the multiple steps in the process connect to affect the outcome. It’s important for every member of the fraud control team to understand how important each process pre-defined step is in capturing the information correctly — from the person who is responsible for risk management in the organization to the people who run the fraud analytics program to the person who designs the data layout to the person who enters the data. Even a customer service analyst or a fraud analyst not marking a certain type of transaction correctly as fraud can have an on-going impact on developing an accurate fraud control system. It really helps to establish rigorous processes of data entry on the front end and to explain to all players exactly why those specific processes are in place. Process without communication and communication without process both are unlikely to produce desirable results. In order to understand the importance of recording fraud information correctly, it’s important for management to communicate to all some general understanding about how a data-driven detection system (whether it’s based on simple rules or on sophisticated models) is developed.

Our connection goes on to say that even after an organization has implemented a fraud detection system that is based on sophisticated techniques and that can execute effectively in real time, it’s important for the operational staff to use the output recommendations of the system effectively. There are three ways that fraud management can improve results within even a highly sophisticated system like that of our LinkedIn connection.

The first strategy is never to allow operational staff to second-guess a sophisticated model at will. Very often, a model score of 900 (let’s say this is an indicator of very high fraud risk), when combined with some decision keys and sometimes on its own, can perform extremely well as a fraud predictor. It’s good practice to use the scores at this high risk range generated by a tested model as is and not allow individual analysts to adjust it further. This policy will have to be completely understood and controlled at the operational level. Using a well-developed fraud score as is without watering it down is one of the most important operational strategies for the long term success of any model. Application of this rule also makes it simpler to identify instances of model scoring failure by rendering them free of any subsequent analyst adjustments.

Second, fraud analysts will have to be trained to use the scores and the reason codes (reason codes explain why the score is indicative of risk) effectively in operations. Typically, this is done by writing some rules in operations that incorporate the scores and reason codes as decision keys. In the fraud management world, these rules are generally referred to as strategies. It’s extremely important to ensure strategies are applied uniformly by all fraud analysts. It’s also essential to closely monitor how the fraud analysts are operating using the scores and strategies.

Third, it’s very important to train the analysts to mark transactions that are confirmed or reported to be fraudulent by the organization’s customers accurately in their data store.

All three of these strategies may seem very straight forward to accomplish, but in practical terms, they are not that easy without a lot of planning, time, and energy. A superior fraud detection system can be rendered almost useless if it is not used correctly. It is extremely important to allow the right level of employee to exercise the right level of judgment.  Again, individual fraud analysts should not be allowed to second-guess the efficacy of a fraud score that is the result of a sophisticated model. Similarly, planners of operations should take into account all practical limitations while coming up with fraud strategies (fraud scenarios). Ensuring that all of this gets done the right way with the right emphasis ultimately leads the organization to good, effective fraud management.

At the heart of any fraud detection system is a rule or a model that attempts to detect a behavior that has been observed repeatedly in various frequencies in the past and classifies it as fraud or non-fraud with a certain rank ordering. We would like to figure out this behavior scenario in advance and stop it in its tracks. What we observe from historical data and our experience needs be converted to some sort of a rule that can be systematically applied to the data real-time in the future. We expect that these rules or models will improve our chance of detecting aberrations in behavior and help us distinguish between genuine customers and fraudsters in a timely manner. The goal is to stop the bleeding of cash from the account and to accomplish that as close to the start of the fraud episode as we can. If banks can accurately identify early indicators of on-going fraud, significant losses can be avoided.

In statistical terms, what we define as a fraud scenario would be the dependent variable or the variable we are trying to predict (or detect) using a model. We would try to use a few independent variables (as many of the variables used in the model tend to have some dependency on each other in real life) to detect fraud. Fundamentally, at this stage we are trying to model the fraud scenario using these independent variables. Typically, a model attempts to detect fraud as opposed to predict fraud. We are not trying to say that fraud is likely to happen on this entity in the future; rather, we are trying to determine whether fraud is likely happening at the present moment, and the goal of the fraud model is to identify this as close to the time that the fraud starts as possible.

In credit risk management, we try to predict if there will likely be serious delinquency or default risk in the future, based on the behavior exhibited in the entity today. With respect to detecting fraud, during the model-building process, not having accurate fraud data is akin to not knowing what the target is in a shooting range. If a model or rule is built on data that is only 75 percent accurate, it is going to cause the model’s accuracy and effectiveness to be suspect as well. There are two sides to this problem.  Suppose we mark 25 percent of the fraudulent transactions inaccurately as non-fraud or good transactions. Not only are we missing out on learning from a significant portion of fraudulent behavior, by misclassifying it as non-fraud, the misclassification leads to the model assuming the behavior is actually good behavior. Hence, misclassification of data affects both sides of the equation. Accurate fraud data is fundamental to addressing the fraud problem effectively.

So, in summary, collecting accurate fraud data is not the responsibility of just one set of people in any organization. The entire mind-set of the organization should be geared around collecting, preserving, and using this valuable resource effectively. Interestingly, our LinkedIn connection concludes, the fraud data challenges faced by a number of other industries are very similar to those faced by financial institutions such as his own. Banks are probably further along in fraud management and can provide a number of pointers to other industries, but fundamentally, the problem is the same everywhere. Hence, a number of techniques he details in this post are applicable to a number of industries, even though most of his experience is bank based. As fraud examiners and forensic accountants, we will no doubt witness the impact of the application of analytically based fraud risk management by an ever multiplying number of client industrial types.

The Fire Alarm & the Bottom Line

fire-alarmI was having lunch with a couple of colleagues yesterday and the topic of ‘pulling the fire alarm’ came up.  Specifically, ‘pulling the fire alarm’ relates to a corporate employee alerting management about the suspected fraudulent activity of a fellow employee.  Everyone at the table agreed that the main reason management is often deprived of this vital intelligence is that your typical employee has a very hard time getting his or her head around the fact that their personally well-known co-worker can even be deceptive or dishonest, let alone actually steal something.

CFE’s are trained to know that good people can be, and often are, deceptive.  When people think of deception, they often envision being tricked or having the wool pulled over their eyes. Although fraudulent acts are frequently acts of deception, the fallacy lies in believing that individuals within “our organization” would never commit a deceptive act. After all, our conflicted employee tells herself, our organization goes to great lengths to hire top-notch talent who will be loyal and faithful. Our potential whistle-blower is aware that company employees are promoted through the ranks into leadership roles only because they’ve displayed some unique attributes related to their individual knowledge or talent.

ACFE interviews with fraudsters tell us that the psychological impact of events on professionals in today’s world is difficult to predict. Individuals who’re typically reasonable and display high integrity can frequently be placed in situations where both personal and professional stress can impact their decisions and actions in ways they may have never imagined. This is where the almost universal tendency to bestow the dangerous gift of the benefit of the doubt must be countered.  No question that organizations must encourage that general openness and transparency in everyday actions be practiced by their employees at all levels. But employees must also be made to understand that if someone questions an action or event, established outlets are available to report those concerns without the fear of repercussions. A specific example that unintentionally supports the benefit of the doubt syndrome is an instance where an employee repeatedly performs an inappropriate action among a group of co-workers within the corporate setting. Someone who witnesses the act may not feel comfortable speaking up at the time of the occurrence, especially if the person performing the action is his or her superior in the corporate hierarchy. However, that doesn’t mean it’s okay to walk away from the situation and say nothing. The outlets to report concerns may be as simple as speaking to a supervisor, contacting a human resources representative, or even calling the employee hotline. Employees must be encouraged to speak up whenever they see activity occurring that they believe is inappropriate. If they don’t, they’re perpetuating a culture of denial and silent acceptance.

Such a culture of silent acceptance can grow almost imperceptibly until the organization can irrationally come to unconsciously believe it’s immune to fraud.   My luncheon companions agreed that this syndrome is entirely natural given that all organizations want to believe they’re immune to fraud; then the table talk turned to the following interesting and related points…

It’s unfortunate that it takes some shattering event like a major embezzlement to make some organizations face the fact that fraud doesn’t discriminate; it can happen anywhere, any time. Just as individuals may rationalize why it’s okay to commit fraud, organizations sometimes attempt to rationalize the “whys” that support their belief that fraud won’t happen to them. Every CFE has seen instances of this defensive stance even during on-going fraud examinations! There can be multiple beliefs within corporate cultures that contribute to this act of rationalization. What one person views as a very strict policy, another person may see as a simple guideline open to interpretation. It’s always important to maintain several levels of defense against fraud, including multiple-preventive and detective controls. Because it is not possible to provide absolute assurance against fraud, it becomes even more critical to ensure that controls in place are sufficient to place periodic roadblocks, warning signs, or the proverbial fire alarm in appropriate places. It also is important that those controls and warning signs are uniformly applied to all employees within the organizational ranks.

Then there’s the old canard about materiality. Almost the first question you get about a suspected fraud, especially in my experience from financial personnel, is “Is it material?” meaning is it material to the financial statements. The implication is that the discovered fraud isn’t that important because it will have little or no effect on the bottom line. The ACFE tells us that fraud is dynamic and often can occur long before there is any significant impact to the financial statements. For example, frauds resulting in identity and information theft may eventually prove to have financial ramifications. However, the initial ramifications are breach of identity and information confidentiality. The question about materiality is one of the signs that management may not fully understand the variance between control gaps, which may create opportunity for inappropriate actions or actual control failures. When it comes to fraud prevention, the question shouldn’t be, “How much was taken or how much did we lose?” but instead, “What fraud opportunity has been created from the control gap identified?” Thus, no fraud is ever immaterial because even a small amount of identified stolen money may only be the tip of the iceberg. Where one fraud has been identified, there may be several related others operative but not yet detected.

In today’s technological world sophisticated information systems include workflow, authority delegation, acceptance reporting, system alerts, and intrusion technology. These processes rely on programming controls and periodic monitoring techniques to ensure access is in line with company objectives. Although these system enhancements have improved efficiency in many ways, there are often loopholes that provide a knowledgeable, often high-level, individual with the opportunity to rationalize or take advantage of poorly designed procedures to support a wide range of fraudulent activity. So, “authorized” can represent a danger if managements place too much reliance on system-established fraud prevention controls and then don’t build in mechanisms to appropriately monitor and manage those controls.  The simplest example of unauthorized transactions is illustrated in how delegation of authority is established and maintained within systems. If authority delegations are established with no end-date, or extended to individuals at a lower responsibility level than the true need, then expenditures may not be approved in line with corporate guidelines. This may seem like a minor control gap, but the potential for fraud, waste and abuse can be significant. And, if this trend goes undetected for an extended period, the risk can become even greater.

Another example may be the use of administrative user IDs for management, granting administrative access to systems and financial accounts. There is a very distinct and established purpose for granting this type of access; however, if the granting of the IDs is not well-controlled or monitored, there can be a significant internal control exposure that creates the opportunity for a potentially high level of fraudulent behavior to occur. This doesn’t mean that just because a company has excessive administrative IDs, it can expect that fraud is occurring within its corporate environs. However, those of us around the table agreed that this is why senior management and the board need to understand the reality of an administrative fraud control gap. In case after case, overuse and poor monitoring of these types of IDs by senior corporate officials (like CFO’s and CEO’s) have created the threat or opportunity for some activity that may not be acceptable to the organization.

Fraudsters are continually evolving, just like the rest of society. As CFE’s, we’re painfully aware that unauthorized transactions don’t always occur just because of external hacking, although the very real hacking threat seems the current obsession. Assurance professionals mustn’t overlook all of the internal fraud possibilities and probabilities that are present due to sophisticated business systems. Fraud in the digital age continues to expand and mature. We have to assist our client organizations to take an on-going, proactive approach to the examination and identification of ways that a myriad type of unauthorized transactions can slip through their internal firewalls and control procedures.

Global Storm Clouds Rising

TankThe recent turbulence in the global financial markets is raising the by now too familiar questions in the trade press.  Who is managing the risk? Where is the oversight? Could this financial turmoil have been avoided if associated risks had been managed more proactively? Manage has a positive connotation, implying that someone is in control, as in “The governor is managing the coastal flooding event.” Risk has a negative connotation, implying a lack of control, as in “An unattended gun puts lives at risk.” Risk is everywhere and can be an opportunity or a threat. Although an effective risk management system cannot provide absolute assurance that events such as the current unsettled market situation will not occur, it can, as the least, lend confidence that the key risks will be identified and dealt with timely.

As a first step, understanding the structure and dimensions of ideal risk management can support common understanding and effective implementation by management and an adequate fraud risk assessment effort by CFE’s and other assurance professionals. Management must understand the key vulnerabilities to the business model and establish risk expectations, which can then be incorporated into business practices. Likewise, CFE’s must understand and consider the context of those expectations in their periodic fraud risk assessments. A thorough management understanding of fraud risk also improves the quality of any subsequent investigation of financial irregularities as it creates a standard against which to compare management’s due diligence efforts. Although it may be difficult for your individual clients to identify ideal standards for risk management, addressing some fundamentals can help frame those ideals.

Regulatory, market, and fraud risks are common and familiar to CFE’s, who’re used to identifying these external events and asking “What if” questions: What if this process is not in compliance? What if a fraud were to occur as a result? Inside counsel and auditors often encourage management to address these types of risks immediately, which can result in operational silos dedicated to addressing a single significant fraud risk. However, these single events are only part of the picture. What about process efficiency risk, process design risk, system implementation risk, data integrity risk, skill-set risk, and the myriad other internal risks that, from the CFE’s informed perspective impact operations and fraud prevention?  In the end, a risk is only important if it affects achievement of strategic and business objectives. Both external and internal risks can be placed in the context of their impact on business objectives. The strategic and objective framework must be defined and understood if an organization is to gauge the impact of the risks confronting it. The simplest way to define this framework is to start with the strategy and identify who is accountable for its parts. The framework is further defined as interviews with senior management reveal its objectives and accountability. The process continues until the framework has been constructively defined down to a relevant level for any external or internal risk. The relevance is determined based on the fraud risk’s ability to impact key elements of the framework. The framework provides a formal structure for ensuring strategic achievement.

Fraud risk management requires adequate identification of general risks and an awareness of existing vulnerabilities. Failure to do so can have dire consequences as the ever increasing volume of recent fraud cases attest. A century ago, modern soldiers recognized that good weapons were important to survival. However, realizing the value of tanks and exploding shells was only one element of effective risk management. Another was assessing the quality of the armor tanks carried into battle. No general would order a tank advance, without adequate vehicle armor. An army with limited protection would avoid or delay battles while its vehicles were being adequately fitted. Likewise, as an organization pursues its objectives, it must understand its strengths and vulnerabilities. Organizations cannot charge into daily economic battles without both weapons for success and armor to manage their inherent risks. Historically, assurance professionals have operated in a black-and-white world – a control is either present or absent, effective or ineffective. Although this may work for compliance or financial reporting objectives, it doesn’t help management effectively improve governance, risk management, or overall fraud prevention. Recognizing that business operations mature over time requires critical anti-fraud controls to mature with them. So if operations and controls mature over time, how does an organization organize the current state of affairs to avoid fraud vulnerabilities?

It’s important for fraud prevention to evaluate how effectively current business processes are supporting the achievement of strategic and business objectives. This evaluation will provide insights into the overall maturity of the fraud prevention controls that are in place to manage key risks. If the objective is to attack, yet the process or control maturity shows insufficient strength, it’s likely that the risk appetite of the general exceeds that of his government and country. Risk becomes more manageable with a framework of key risks in the context of key objectives and process/control maturity.

Business process and control vulnerability to fraud can be measured by defining high-level management controls that illustrate what management is doing to achieve its strategic and business objectives. By this point organizations should understand the strategy and objectives and be aware of their people, process, and technology capabilities; but this alone does not provide an overall understanding of fraud control maturity. Because maturity implies sustainability, it’s important to concurrently understand just how capable or strong the systems of control are. One way to begin creating a control maturity perspective is to look at what management is currently doing to ensure it achieves its objectives.

  • Does management have formal fraud prevention objectives that are well-written and communicated?
  • Is accountability clearly established?
  • Have metrics been set to measure the progress of those who are accountable?
  • Is existing reporting capable of illustrating the metric?
  • Are the information and communication channels adequate?
  • Does the tone at the top champion ethical behavior?

Frank answers to these types of simple questions help determine whether the CFE’s client organization is closer to the top, middle, or low levels of management fraud control maturity. This determination can help the organization identify gaps between its current level of maturity and the desired level so that actions can be prioritized to address the largest gaps. The answers to these questions can also help determine how formally objective achievement is being managed. They also provide a window into process capabilities and indicate the degree to which these capabilities are aligned with objective achievement. Informal alignment can create vulnerabilities. Management fraud control maturity is by no means the ultimate tool, but it provides a bridge in assessing risk management vulnerabilities.

All CFE’s have a role in educating senior management and the board (if there is one) about effective fraud risk management and irregularity prevention. Risk management means many things to almost everyone, yet communicating a few basic principles to clients will help CFE’s not only be successful but will provide the foundation for a program of robust fraud risk assessment. These principles help define a framework for valuing risk, assessing vulnerabilities, and determining the necessary steps for improving management fraud control maturity. Taken together, they can help any client organization improve the management of its overall risk and fraud prevention program.

To Control Cyber Fraud Rapidly Identify System Abnormalities


sun-broochAccording to the Pareto Principle, for many phenomena, 80 percent of the consequences stem from 20 percent of the causes.  Application of the principle to fraud prevention efforts related particularly to automated systems seems increasingly apropos given the deluge of intrusions, data thefts, worms and other attacks which continues unabated, with organizations of all kinds losing productivity, revenue and more customers every month.  ACFE members report having asked the IT managers of numerous victimized organizations over the years what measures their organization took prior to an experienced fraud to secure their networks, systems, applications and data, and the answer has typically involved a combination of traditional perimeter protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together with patch management, business continuance strategies, and access control methods and policies.  As much sense as these traditional steps make at first glance, they clearly aren’t proving sufficiently effective in preventing or even containing many of today’s sophisticated attacks.

The ACFE has determined that not only are some organizations vastly better than the rest of their industries at preventing and responding to cyber-attacks, but also that the difference between these and other organizations’ effectiveness boils down to just a few foundational controls.  And the most significant within these foundational controls are not rooted in standard forms of access control, but, surprisingly, in monitoring and managing system changes.  It turns out that for the best performing organizations there are six important control categories – access, change, resolution, configuration, version release and service levels. There are performance measures involving each of the categories defining audit, operations and security performance measures. These include security effectiveness, audit compliance disruption levels, IT user satisfaction and unplanned work.  By analyzing relationships between control objectives and corresponding performance indicators, numerous researchers have been able to differentiate which controls are actually most effective for consistently predictable service delivery, as well as for preventing and responding to security incidents and fraud related exploits.

Of the twenty-one most important foundational controls used by the most effective organizations at controlling intrusions, there were two used by virtually all of them. Both of these controls revolve around change management:

  • Are systems monitored for unauthorized changes in real time?
  • Are there defined consequences for intentional unauthorized changes?

These controls are supplemented by 1) a formal process for IT configuration management; 2) an automated process for configuration management; 3) a process to track change success rates (the percentage of changes that succeed without causing an incident, service outage or impairment); 4) a process that provides relevant personnel with correct and accurate information on all current IT infrastructure configurations.  Researchers found that these top six controls help organizations manage risks and respond to security incidents by giving them the means to look forward, averting the riskiest changes before they happen, and look backward, identifying definitively the source of outages, fraud associated abnormalities  or service issues.  Because they have a process that tracks and records all changes to their infrastructure and their success rates, the most effective organizations have a more informed understanding of their production environments and can rule out change as a cause very early in the incident response process. This means they can easily find the changes that caused the abnormal incident and re-mediate them quickly.

The organizations that are most successful in preventing and responding to fraud related security incidents are those that have mastered change management, thereby documenting and knowing the ‘normal’ state of their systems in the greatest possible detail.  The organization must cultivate a “culture” of change management and causality throughout, with zero tolerance for unauthorized changes. As with any organizational culture, the culture of change management should start at the top, with leaders establishing a tone that all changes must follow, an explicit change management policy and process from the highest to the lowest levels of the organization, with zero tolerance for unauthorized change. These same executives should establish concrete, well-publicized consequences for violating change management procedures, with a clear, written change management policy.  One of the components of an effective change management policy is the establishment of a governing body, such as a change advisory board that reviews and evaluates all changes for risk before approving them. This board reinforces the written policy, requiring mandatory testing tor each and every change, and an explicit rollback plan for each in the case of an unexpected result.

ACFE studies stress that post incident reviews are also crucial, so that the organization protects itself from repeating past mistakes. During these reviews, change owners should document their findings and work to integrate lessons learned into future anti-fraud operational practices.

Perhaps most important for responding to and controlling system changes is having clear visibility into all change activities, not just those that are authorized. Automated controls that can maintain a change history reduce the risk of human error in managing and controlling the overall process.

So organizations that focus solely on access and reactive resolution controls at the expense of real time change management process controls are almost guaranteed to experience in today’s environment more security incidents, more damage from those incidents, and dramatically longer and less-effective resolution times.  On the other hand, organizations that foster a culture of disciplined change management and causality, with full support from senior management, and have zero tolerance for unauthorized change and abnormalities, will have a superior security posture with fewer incidents, dramatically less damage to the business from security breaches and much faster incident identification and resolution of incidents when they happen.

In conducting a cyber-fraud post-mortem, CFE’s and other assurance professionals should not fail to focus on strengthening controls related to  reducing 1) the amount of overall time the IT department devotes to unplanned work; 2) a high volume of emergency system changes; 3) and the number and nature of an identified  high volume of failed system changes.  All these are red-flags for cyber fraud risk and indicative of a low level of real time system knowledge on the part of the client organization.

That Break’s For You


vacation“We are again honored to have a seventh guest post from our friend and Richmond Chapter 2015 Vice-President, Rumbi Bwerinofa, CPA/CFF. Rumbi is a Director of the Queens/Brooklyn Chapter of the New York State Society of CPAs and a member of the NYSSCPA Litigation Services Committee. She is the editor of TheFStudent.com, where she discusses financial forensic issues.” – Charles Lawver-2015 RVACFES Chapter President…”

I live in New York City, the city that, in its own mind at least, never sleeps. Those of us who live here wear that like a badge of pride.  Rest? Only when we’re dead! If you ride the subway, death apparently includes the daily rush-hour commute. Here, we’re a city of zombies who have even figured out to sleep, standing up, crammed like sardines into whatever tin box is taking us to work. Out bosses love our never rest attitude. What could be better than workers who express shame when requesting time off? Who wouldn’t like an office full of people competing to see who can pull the longest hours?

Well, it turns out that, perhaps, a worker who never leaves his or her desk may not be such a good thing for company health, when it comes to fraud prevention and detection. That person who’s so diligent that, not only does she never need help, but she’s even willing to take on additional tasks like, say, picking up and distributing the mail or making bank deposits, may be taking on all these extra tasks for a reason, say to make sure that no one discovers she’s actively stealing from the company. That why it’s important for forensic accountants and fraud examiners to help our clients understand the criticality of enforced staff vacations for the overall integrity of their fraud prevention programs.

It’s so important to stress to the employer that, when employees do take vacations, desks mustn’t be allowed to sit idle, with work and mail just piling up, untouched for two or three weeks.  Vacation times represent the perfect point to perform targeted, concurrent fraud prevention and detection related tests. One, or more, of the vacationing employee’s cross-trained peers should take over the daily, detailed tasks of the employee. Such tests are especially important if the employee has access to assets or cash, but it’s a good prevention practice for every employee’s desk. Mail should be opened, bank statements reconciled and checks to vendors written. In this way, fraud and error stand a good chance of being caught.  Just knowing that this type of testing is mandatory during enforced annual vacations is a potent fraud deterrent in itself.

Too often fraud is caught by accident, when one employee happens to be out of the office and a question needs to be answered. Someone will dig into that employee’s work and stumbles onto something amiss. Rita Crundwell  stole almost $54 million from the city of Dixon during the nearly three decades she was that city’s comptroller. Her crime was discovered while she was out of her office, on vacation, and the acting comptroller, asked for bank statements, found a statement for an account that was not recorded in the ledger. The account held millions, had an official-sounding name wasn’t identified in any city record. Had, someone else in the city’s finance department routinely performed banking and mail duties while Crundwell was out of the office (of even at random times when she wasn’t), this embezzlement may have been caught years earlier.  Prior to the fraud’s discovery, no manager in authority seemed to see a conflict of duties issue with Crundwell, the comptroller, picking up all the city’s mail. While she was on vacation, she would have a relative or city employee pick up the mail, separate out hers’, and distribute the rest. Yes, a relative, not even a city employee, picked up and distributed the city’s mail!  Had Crundwell known that her work would be independently randomly checked and reviewed on a regular basis, she may have decided that stealing from the city was just too risky and have never perpetrated her crime.

The FDIC and SEC recommend mandatory vacations of two consecutive weeks for traders and others in the financial industry. This guarantees there’s adequate time for the employer to have another staff member perform the work of the vacationing employee and check for fraud and error. Any business would benefit from adding this process to their control systems.

An earlier post on The Inner Auditor discussed the risks and control weaknesses associated with only one person in a business holding the bulk of the information about how things work. Should that person take an extended vacation, retire or quit, the company could very well come to a confused standstill because no one else knows how to perform certain processes or where certain information is kept. A benefit of and enforced mandatory vacation and random testing policy is that other staff members will be forced to learn, through cross-training,  what their colleagues do and know; knowledge about the functioning of every desk will be shared among various employees.

Employers should be thoroughly briefed on benefits for fighting fraud, reducing error and sharing knowledge that a well-planned and executed vacation and concurrent testing policy can bring to the fraud prevention effort. They may or may not worry too much about how tired their workers are, but I’m pretty sure that they care a lot about keeping their assets safe.

Stone Age Quarterly Reports


CaveOur Chapter and the ACFE have published a number of articles and posts over the last few years about the various types of pressures that can push ethically challenged employees over the line between temptation and the perpetration of an actual accounting fraud.  One category of such pressure stems directly from the nature of our present system of periodic financial reporting which, it can be argued, not only creates unnecessary volatility in the stock and financial markets but ends up requiring rational investors to demand a premium for securities investments by emphasizing the short term risk that near term, set in stone, quarterly earnings targets will not be met.   The pressure to meet these short term targets can only give rise to operational inefficiencies which in turn drive up the inherent inefficiency in the transmission of information from public companies to financial markets based on a model which hasn’t changed much since its original definition during the Great Depression of the 1930’s.

I’ve seen articles in the Journal of Accountancy and in other authoritative financial publications pointing toward a better way and, with the advent of and widening support for the electronic reporting of financial results to the SCC (the XBRL initiative), we can hope we’re well into the drawn of a new age.  That there’s been pushback to this effort is understandable.  Those familiar with the technical and professional minefield of the present quarterly reporting process can only feel sympathy with those financial officers who have to go through it, quarter by quarter and year after year.  Questions abound about process like how is electronically published financial information going to be verified and what real controls are there over its reliability?  What happens if there’s an honest mistake?

Think about all this from the point of view of the fraud examiner.  If enterprises, listed and non-listed, can make the transition from a periodic to a real-time, electronic based financial reporting system, the resulting efficiencies and the decrease in numerous types of fraud related risk would be truly striking.  Real-time financial reporting would free our clients from the tyranny of the present, economically nonsensical, reporting of quarterly results.  How much of the incentive to commit financial fraud to meet the numbers does that immediately alleviate?   As one financial expert after another has pointed out over the years, there’s just no justification for focusing on a calendar quarter as the unit in which to take stock of financial performance, beyond the fact that that’s what’s presently written in the law.  By contrast, what if financial information were published and available to all users on a real-time basis?  The immediate availability of such information, continuously updated, on whatever basis was appropriate for the individual enterprise and its industry, would force companies to adopt a reporting unit that ready makes sense to them and to their principal information users.   For some companies that unit might be a week, a month, a quarter, semi-annually or a year.  So be it.  Let a thousand flowers bloom; the upshot is that what would end up being reported would make sense for the company, its industry and for the information users rather than the one-size fits all, set in stone, prescription of the present law.

An additional advantage, and one with immediate implications for fraud prevention, would be the opportunity for increased efficiency in financial markets as investment dollars could be allocated not according to quarterly results or according to the best guess estimates of financial analysts, but by reliable financial information provided directly by the company all the time; goodbye to many of the present information control vulnerabilities that support insider trading because information is not widely and efficiently disseminated.  The point is that by employing digital, on-line analytics based report building tools properly, users of all kinds can customize a set of up-to-date financial reports (in whatever format) on whatever time period, that suits their fancy.

But many have also pointed out that if there is to be such a shift from periodic to real-time financial reporting, there needs to be a fundamental change in basic attitudes toward financial reporting.  Those who report and those who inspect financial information will have to change their focus from methods by which the numbers themselves are checked (audited) to methods (as with XBRL) that focus on the reliability of the system that generates the numbers.  That’s where fraud examiners and other financial insurance professionals come in.  On-line financial information will be published with such frequency and so rapidly, that there will be no time to “check” individual numbers; the emphasis for assurance professionals will, therefore, need to shift away from checking numbers and balances to analysis of and reporting on the integrity of the system of internal controls over the reporting system itself; understanding of the details of the internal control system over financial reporting will gain a level of prominence it’s never had before.

Fraud examiners need to be aware of these issues when counseling clients about the profound impact that digitally based, on-line reporting of financial information will have on their fraud prevention and fraud risk assessment programs.  As with all else in life, real time financial reporting will inevitably decrease the risk of some fraud scenarios while increasing the risk of others.

Concurrent Fraud Auditing (CFA) as a Tool for Fraud Prevention

JeSuisCharlieOne of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good anti-fraud tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day.  The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years.  Basically, at the heart of a system of concurrent fraud auditing (CFA) like that of CAA,  is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies as close to their occurrence as possible.  Today’s networked processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server,  by in-house client IT applications like Oracle and Microsoft Access.  In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering.   The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place.  Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central process of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices.  At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios.  The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics.   As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators.  By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios.  Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff.  This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances,  send back a correcting  feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag).  The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process.  This level would produce pre-formatted reports to management or constitute emergency exception notices.  Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses by an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself.  Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So its no surprise that  I would certainly encourage our member to discuss the CFA approach with the management of her client.  It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the developing organization but the discussion is worth the candle. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud.  CFA is an especially useful tool for any financial application where large amounts of cash are either coming in our going out the door like banking applications and especially  to control all aspects of the processing of insurance claims.

Go Ask Jane. She Knows Everything!

woman-with-headset-2As fraud examiners intimately concerned with the on-going state of health of the Enterprise Fraud Management system, we find ourselves constantly looking at the integrity of the data that’s truly (as much as financial capital) the life blood of today’s client organizations. We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data vulnerabilities to fraud to a minimum. Every little bit of critical information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture.

When it comes to managing its client, financial and payment data, almost every organization has a Jane. Jane’s the person everyone goes to get the answers about data, and the state of system(s) that process it, that no one else ever seems to have. That’s because Jane is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance. Jane is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees. The recent great recession where enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices only exacerbated an existing, seemingly ever growing trend. The very real threat to the Enterprise Fraud Management system that the Jane’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever present possibility) but that they will retire or get another job out of state, taking their vital knowledge of the company systems and data with them.

The day after Jane’s retirement party and, to an increasing degree thereafter, it will dawn on Jane’s management that it’s lost a large amount of information about the true state of its data and financial processing system(s). Management will become aware, if it isn’t already, of its lack of a large amount of system critical data documentation that’s been carried around nowhere but in Jane’s head. The point is that, for some organizations, their reliance on a few key employees for day to day, operationally related information on their data goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their system of Enterprise Fraud Management. Today’s newspapers and the internet are full of stories about data breeches, only reinforcing the importance of vulnerable data and of its documentation to the on-going operational viability of every one of our client organizations.

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of that change related information is ever formally documented. Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily those most involved in everyday, routine data management projects. There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them. The anomalies might be in the form of missing data, change in data field definitions, or change in the content of the fields; the possibilities are endless. Without proper, formal documentation, the immediate or future significance of these types of anomalies for the Enterprise Fraud Management System and for the overall fraud risk assessment process itself become almost impossible to determine.

If our auditor or fraud examiner, operating under today’s typical budget or time constraints, is not very thorough and misses even finding some of these anomalies, they can end up never being addressed. How many times as an analyst have you tried to understand something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah. Jane made that change back in February before she retired; we don’t have too many details on it.” In other words, undocumented changes to transactions and data, details of which are now only existent in Jane’s absent head. When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of the Enterprise Fraud Management system. The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high. What can’t be seen, can’t ever be managed or even explained.

It’s truly humbling to experience how much critical financial information resides in the fading (or absent) memories of past or present key employees. As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent transaction related documentation and the sharing of knowledge on a consistent basis for all systems but especially in matters involving changes to critical financial and customer support systems. One nice benefit of this approach, which I brought to the attention of one of my clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than serving as the encyclopedia for the rest of the operational staff.

The Dually Certified CFE

CautionGirlWe all know that public and private sector auditors of all kinds are stretched critically thin during these times of straited administrative budgets.  But I also know from personal experience that Chief Audit Executives (CAE’s) everywhere are continually on the lookout for cross trained staff, with potential staff members who have the ability, training and experience to perform some mix of fraud, financial, operational and IT audits in especially high demand.  For that reason fraud examiners new to the profession have a special need of a broad understanding of how the generic audit process works so as to make the strongest contribution to their employer’s overall audit effort.

The primary role of assurance and risk control professionals within any organization is to continually, independently and objectively assess the controls, fraud risks, reliability and integrity of the enterprise environment.  These assessments can help maintain or improve the efficiency and effectiveness of the organization’s overall risk management, internal controls and corporate governance.  Those dually certified as fraud examiners as well as CPA’s, CIA’s and CISA’s can evaluate corporate objectives, plans, strategies, and policies and procedures to ensure adequate management oversight of fraud risk, thereby reducing actual instances of fraud, waste and abuse.  Anti-fraud recommendations developed during the fraud risk assessment process can complement control strengthening recommendations developed and presented to management by other members of the organizational control assurance team.

I would argue that dually certified CFE’s are in an especially powerful position to add value to the performance of internal financial, operational and compliance auditing assignments.  The CFE’s expertise regarding the red flags of financial statement fraud can be an integral part of any financial audit.  A financial statement audit, or more accurately, an audit of financial statements, is a review of an enterprise’s financial statements that results in the publication of an independent opinion on the relevance, accuracy, completeness and fairness (RACF) of the presentation of the financial statements.  Internal auditors of all types don’t opine on the company’s financial results, but, as part of their annual audit plans, constantly perform substantive tests on financial balances to verify RACF.  The CFE and other members of the internal audit team conduct periodic analyses, reviews and tests of the financial accounting system; successful passing of the tests decreases the amount of associated risk and provides valid input for adjustments to the fraud risk assessment.

Operational auditing is the process of reviewing a division or department of the enterprise, government or non-profit organization to measure the effectiveness, efficiency and economy of operations.  This is an evaluation of management’s performance and conformity with policies and budgets.  The objective is to appraise the effectiveness and efficiency of a division, an activity or an operation in meeting organizational goals.  Ineffective and inefficient operations are a breeding ground for management and employee dissatisfaction and constitute a red flag of management fraud.  As an example, a poorly or incompletely implemented automated control system is an open invitation for exploitation by internal fraudsters who always know the faulty system better than management.

Internal assurance professionals conduct compliance audits to gauge organizational adherence to regulatory guidelines, local, State and Federal.  Elements to be evaluated depend on whether the enterprise is a public or private sector entity, what kind of data it handles, and whether or not it transmits or stores sensitive personal client and financial data.  A glance at the newspaper should be enough to convince anyone of the costs involved in State and Federal regulatory violations and any such violations are only exacerbated by instances of fraud.  There can be no question of the role that can be played by the experienced CFE in compliance auditing.  Fraud prevention controls are part of compliance and these controls must be fully integrated into the organization’s overall plan for compliance in order for the enterprise to pass State and Federal audits of the use of taxpayer funds.  Considerations of fraud prevention must be involved in all facets of compliance auditing.

From the CFE’s perspective the main differences among internal financial, operational and compliance auditing are the purpose of the audit, inclusion of non-financial business processes and cost/benefit versus verification.  Financial audits, as their name denotes, focus on an enterprise’s financial results.  Compliance and operational audits can focus on hidden numbers and costs that could be reduced, once more demonstrating a strict focus on adherence, efficiency, effectiveness and process improvement.

Because of ubiquitous staff and other budget related limitations, the world of intra-enterprise control assurance is moving toward a more integrated approach.  CFE’s, especially those new to the profession and those who are dually certified,  should not hesitate to extend their competence to participate as team members in the conduct of financial, operational and compliance audits.  Strict lines between the various types of assurance professionals can only continue to dissolve because separating each audit approach in its individual stove pipe is neither efficient nor effective.  So don’t be afraid to step out of your comfort zone; the experience makes for better auditors and better audits.