Category Archives: Enterprise Risk Assessment

The Initially Immaterial Financial Fraud

At one point during our recent two-day seminar ‘Conducting Internal Investigations’ an attendee asked Gerry Zack, our speaker, why some types of frauds, but specifically financial frauds can go on so long without detection. A very good question and one that Gerry eloquently answered.

First, consider the audit committee. Under modern systems of internal control and corporate governance, it’s the audit committee that’s supposed to be at the vanguard in the prevention and detection of financial fraud. What kinds of failures do we typically see at the audit committee level when financial fraud is given an opportunity to develop and grow undetected? According to Gerry, there is no single answer, but several audit committee inadequacies are candidates. One inadequacy potentially stems from the fact that the members of the audit committee are not always genuinely independent. To be sure, they’re required by the rules to attain some level of technical independence, but the subtleties of human interaction cannot always be effectively governed by rules. Even where technical independence exists, it may be that one or more members in substance, if not in form, have ties to the CEO or others that make any meaningful degree of independence awkward if not impossible.

Another inadequacy is that audit committee members are not always terribly knowledgeable, particularly in the ways that modern (often on-line, cloud based) financial reporting systems can be corrupted. Sometimes, companies that are most susceptible to the demands of analyst earnings expectations are new, entrepreneurial companies that have recently gone public and that have engaged in an epic struggle to get outside analysts just to notice them in the first place. Such a newly hatched public company may not have exceedingly sophisticated or experienced fiscal management, let alone the luxury of sophisticated and mature outside directors on its audit committee. Rather, the audit committee members may have been added to the board in the first place because of industry expertise, because they were friends or even relatives of management, or simply because they were available.

A third inadequacy is that audit committee members are not always clear on exactly what they’re supposed to do. Although modern audit committees seem to have a general understanding that their focus should be oversight of the financial reporting system, for many committee members that “oversight” can translate into listening to the outside auditor several times a year. A complicating problem is a trend in corporate governance involving the placement of additional responsibilities (enterprise risk management is a timely example) upon the shoulders of the audit committee even though those responsibilities may be only tangentially related, or not at all related, to the process of financial reporting.

Again, according to Gerry, some or all the previously mentioned audit committee inadequacies may be found in companies that have experienced financial fraud. Almost always there will be an additional one. That is that the audit committee, no matter how independent, sophisticated, or active, will have functioned largely in ignorance. It will not have had a clue as to what was happening within the organization. The reason is that a typical audit committee (and the problem here is much broader than newly public startups) will get most of its information from management and from the outside auditor. Rarely is management going to voluntarily reveal financial manipulations. And, relying primarily on the outside auditor for the discovery of fraud is chancy at best. Even the most sophisticated and attentive of audit committee members have had the misfortune of accounting irregularities that have unexpectedly surfaced on their watch. This unfortunate lack of access to candid information on the part of the audit committee directs attention to the second in the triumvirate of fraud preventers, the internal audit department.

It may be that the internal audit department has historically been one of the least understood, and most ineffectively used, of all vehicles to combat financial fraud. Theoretically, internal audit is perfectly positioned to nip in the bud an accounting irregularity problem. The internal auditors are trained in financial reporting and accounting. The internal auditors should have a vivid understanding as to how financial fraud begins and grows. Unlike the outside auditor, internal auditors work at the company full time. And, theoretically, the internal auditors should be able to plug themselves into the financial reporting environment and report directly to the audit committee the problems they have seen and heard. The reason these theoretical vehicles for the detection and prevention of financial fraud have not been effective is that, where massive financial frauds have surfaced, the internal audit department has often been somewhere between nonfunctional and nonexistent.. Whatever the explanation, (lack of independence, unfortunate reporting arrangements, under-staffing or under-funding) in many cases where massive financial fraud has surfaced, a viable internal audit function is often nowhere to be found.

That, of course, leaves the outside auditor, which, for most public companies, means some of the largest accounting firms in the world. Indeed, it is frequently the inclination of those learning of an accounting irregularity problem to point to a failure by the outside auditor as the principal explanation. Criticisms made against the accounting profession have included compromised independence, a transformation in the audit function away from data assurance, the use of immature and inexperienced audit staff for important audit functions, and the perceived use by the large accounting firms of audit as a loss leader rather than a viable professional engagement in itself. Each of these reasons is certainly worthy of consideration and inquiry, but the fundamental explanation for the failure of the outside auditor to detect financial fraud lies in the way that fraudulent financial reporting typically begins and grows. Most important is the fact that the fraud almost inevitably starts out very small, well beneath the radar screen of the materiality thresholds of a normal audit, and almost inevitably begins with issues of quarterly reporting. Quarterly reporting has historically been a subject of less intense audit scrutiny, for the auditor has been mainly concerned with financial performance for the entire year. The combined effect of the small size of an accounting irregularity at its origin and the fact that it begins with an allocation of financial results over quarters almost guarantees that, at least at the outset, the fraud will have a good chance of escaping outside auditor detection.

These two attributes of financial fraud at the outset are compounded by another problem that enables it to escape auditor detection. That problem is that, at root, massive financial fraud stems from a certain type of corporate environment. Thus, detection poses a challenge to the auditor. The typical audit may involve fieldwork at the company once a year. That once-a-year period may last for only a month or two. During the fieldwork, the individual accountants are typically sequestered in a conference room. In dealing with these accountants, moreover, employees are frequently on their guard. There exists, accordingly, limited opportunity for the outside auditor to get plugged into the all-important corporate environment and culture, which is where financial fraud has its origins.

As the fraud inevitably grows, of course, its materiality increases as does the number of individuals involved. Correspondingly, also increasing is the susceptibility of the fraud to outside auditor detection. However, at the point where the fraud approaches the thresholds at which outside auditor detection becomes a realistic possibility, deception of the auditor becomes one of the preoccupations of the perpetrators. False schedules, forged documents, manipulated accounting entries, fabrications and lies at all levels, each of these becomes a vehicle for perpetrating the fraud during the annual interlude of audit testing. Ultimately, the fraud almost inevitably becomes too large to continue to escape discovery, and auditor detection at some point is by no means unusual. The problem is that, by the time the fraud is sufficiently large, it has probably gone on for years. That is not to exonerate the audit profession, and commendable reforms have been put in place over the last decade. These include a greater emphasis on fraud, involvement of the outside auditor in quarterly data, the reduction of materiality thresholds, and a greater effort on the part of the profession to assess the corporate culture and environment. Nonetheless, compared to, say, the potential for early fraud detection possessed by the internal audit department, the outside auditor is at a noticeable disadvantage.

Having been missed for so long by so many, how does the fraud typically surface? There are several ways. Sometimes there’s a change in personnel, from either a corporate acquisition or a change in management, and the new hires stumble onto the problem. Sometimes the fraud, which quarter to quarter is mathematically incapable of staying the same, grows to the point where it can no longer be hidden from the outside auditor. Sometimes detection results when the conscience of one of the accounting department people gets the better of him or her. All along s/he wanted to tell somebody, and it gets to the point where s/he can’t stand it anymore and s/he does. Then you have a whistleblower. There are exceptions to all of this. But in almost any large financial fraud, as Gerry told us, one will see some or all these elements. We need only change the names of the companies and of the industry.

From the Head Down

fishThe ACFE tells us that failures in governance are among the most prominent reasons why financial and other types of serious fraud occur.  Often the real cause of major corporate scandals and failures detailed in the financial trade press is a series of unwelcome behaviors in the corporate leadership culture: greed, hubris, bullying, and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons; so, that old saying remains true, fish rot from the head down.

CFE’s find themselves being increasingly called upon by corporate boards and upper operating management to assist as members of independent, control assurance teams reviewing governance related fraud risk. In such cases, where a board has decided to engage a third party, such as a consulting firm or law firm, to assess the risk associated with certain governance processes and practices, a CFE member of the team can ensure that the scope of work is sufficient to cover the risk of fraud, that the team’s review process is adequate, and that the individuals involved can provide a quality assessment.  Thus, if the CFE has suggestions to make concerning any fraud related aspect of the engagement, these can be shared with the review team as a whole.

As the fraud expert on a review team identifying governance related risks, the ACFE recommends that the CFE keep an open mind. Even the best boards, with the most experienced and competent directors, can fail. Examples of red flag, fraud related governance risks to consider include:

–Organizational strategies are approved and performance monitored by executives and the board without reliable, current, timely, and useful information;
–There is too great a focus on short-term results without sufficient attention to the organization’s long-term strategy;
–Oversight by the board is limited by a lack of directors with the required business, industry, technical, IT, or other experience;
–The board’s dynamics do not include sufficient challenge and skeptical inquiry by independent directors;
–Oversight by the audit committee is limited by a lack of experience in financial reporting and auditing;
–There have been instances in the past of the external auditors having failed to detect material misstatements because part of their team lacked the necessary industry experience and understanding of relevant accounting standards;
–Board oversight of risk management is constrained by a lack of risk management experience;
–Strategies approved by the board are not linked to individual goals and objectives of managers in operating departments or over key business processes;
–IT priorities are not consistent with business and organizational priorities due to a lack of communication and alignment of goals and incentive programs;
–Employees do not understand the corporate code of business conduct because it has not been clearly communicated and/or explained to them.

Once the team has identified and assessed the principal governance-related risks, the first step is to determine how to address them. The review team should take each in turn and determine the best approach. Several options might be considered. Using generally accepted traditional control approaches, many governance-related risk areas (such as awareness of the corporate code of conduct, alignment of management incentive plans and organizational strategies, or the quality of information used by the executive leadership team and the board) can be addressed without too much difficulty.

Next, the CFE needs to consider which fraud risks to recommend to the team for periodic re-assessment in recurring risk assessment plans. It’s not necessary or appropriate to periodically assess every identified governance-related fraud risk, only those that represent the most significant on-going risk to the success of the organization and its achievement of its overall fraud prevention objectives.

In a relatively mature organization, the most valuable role for the CFE team member is likely to be that of providing assurance that governance policies and practices are appropriate to the organization’s fraud risk control and management needs – including compliance with applicable laws and regulations – and that they are operating effectively.  On the other hand, if the organization is still refining its governance processes, the CFE may contribute more effectively to the governance review team in an anti-fraud consulting capacity advising or advocating improvements to enhance the evolving fraud prevention component of the organization’s governance structure and practices.

Within the context of the CFE’s traditional practice, there will be times when the board or general counsel (which has so often historically directly engaged the services of CFEs) wants the assessment of a particular governance fraud risk area to be performed by the in-house counsel.  In such instances, the CFE can directly partner with the in-house staff, forming a relationship alternative to performance as a review team member with another type of assurance provider or outside consultant.  This arrangement can offer significant advantages, including:

–Ensuring that the CFE has the benefit of the in-house legal team’s subject-matter expertise as well as knowledge of the company;
–Allow more CFE control over the scope of work, the way the engagement is performed, the conclusions drawn, and over the final report itself; for example, some CFE’s might feel more confident about expressing an opinion on whether the fraud risk under review is managed effectively by the board with in-house counsel support.

A risk-based fraud prevention plan is probably not complete unless it includes consideration of the risks inherent in the organization’s governance processes. Selecting which areas of governance to review should be based on the assessed level of risk, determined with input from management and (in all likelihood) the board itself. Different governance risk areas with fraud impact potential may merit different CFE involved review strategies, but, whatever approach is taken, careful planning is always a must.

Reviews of fraud risk related to corporate governance are never easy, and they often carry political risk. However, they are clearly important and should be given strong consideration as a component of every fraud prevention effort – not just because they are required by professional assurance standards, but because governance process failures can contribute so devastatingly to financial frauds of all kinds.

The Straight Scoop on Risk

risk-assessmentAny practicing auditor will tell you that information requests, getting the information needed to perform an audit or review, can be one of the most frustrating aspects of any audit work and the information requests involved with fraud risk assessments are no exception.  To successfully complete his or her assessment the CFE must develop a thorough understanding of the client’s overall system of internal control, with special emphasis on those controls over financial transactions that reduce or mitigate fraud risk.  Information requests usually signal the transition from planning to fieldwork for the CFE. How the request for that information is made sets the tone for the assessment, and can help or hurt the CFE-to-client relationship. It can also positively or negatively impact the overall achievement of review objectives, so it’s important to spend the time to get this step right.

It’s been my experience that reviewers new to CFE practice tend to compile their requests for information hastily under the assumption that the sooner they request the information; the sooner they’ll get the reply. However, as we’ve all experienced, information requests can get lost, forgotten, or ignored, and weeks can go by with no response.  Since CFE’s aren’t generally easily deterred, the problem is typically addressed by sending follow-up emails, leaving voice mails, and, as a last resort, knocking on the CFO’s office door in an attempt to get all the requested information prior to the start of serious fieldwork. And the initial request is only the beginning. During some reviews, information requests seem to never end. If the first request was for a list of key customers, a second request for invoicing procedures soon follows and the whole request process starts all over again moving like an arrow straight on through to the end of the assessment.

An alternative way around all this requires a little more work on the front-end but organizes requests so that they are received by the target data source quicker, questions are answered faster, and the CFE builds a stronger relationship with the client.  This is done by scheduling a formal, face to face meeting with the provider of the target information in his or her office immediately following the entrance conference with the CEO, corporate counsel or audit committee who engaged the CFE. The CFE should ask for and receive permission from the CEO before any information is requested from subordinate staff.  The upper management sanctioned meeting with targeted business process expert staff (say the CFO or Chief Information Systems Officer-CIFO) takes place prior to any formal information request being submitted in writing.

Meeting with the targeted business process staff in this way has many benefits and, in my experience, is well worth the time. In addition to supporting a general discussion about what information is available, it’s often possible to obtain some of the requested items themselves during the face-to-face.  I’ve often been directed to the information I want on the company databases simply by directly asking the CIFO for it.  Such meetings are invaluable to the CFE since they provide an opportunity to improve her knowledge of the business and strengthen her relationship with business process owners.  This approach doesn’t excuse CFE’s from doing all he or she can beforehand to develop as much understanding as possible of what items of information they would like to request during the meeting; this is because it’s common to learn something new about the control system of a business process in a meeting with a process expert that makes some aspect of the original request irrelevant. The best way to avoid this is to have developed a solid overview of the fraud risk assessment process, its steps and objectives, so the CFE can quickly regroup and make a new request that better satisfies the complete, overall assessment objective.

During the meeting(s) with individual process owners the CFE should provide a brief overview of the assessment and its objective(s); this will help communicate the reason for the specific information requests. Through an easy give and take the CFE can explore with the process expert where the requested information is housed and how it might best be accessed. A benefit of this approach is that all clients appreciate having the assessment objectives and requests explained to them in person. They are more willing to provide the documentation and answer the inevitable follow-up questions that arise later because they have a clear understanding of what is needed and why.  If, during the discussion with the process expert, the reviewer realizes a change needs to be made to a request, it can be addressed in real time. This also saves the CFE from having to send an embarrassing email apologizing because he or she inadvertently requested the wrong information.

Following discussion of all the requests, the CFE should consider wrapping up the meeting by asking a few questions about how the business is doing, if any new initiatives are being undertaken, if that new financial system software is meeting expectations, etc. Anything learned about the business will improve the CFE’s ability to make fraud prevention recommendations and may identify other areas of fraud vulnerability to look into at a later time.  Working to obtain this useful control related information is much easier face-to-face than over the phone or via email.

After the meetings with the client’s business process expects are finished, the CFE and his or her team (if any) will be able to start testing immediately because most of the requested documentation has been obtained or its location identified. Another benefit to this approach is efficiency, because it can significantly reduce the time spent waiting and following up with the business process owner. It also allows the CFE to use his or her time effectively.

It is much better to spend one hour with the client up front than to spend an hour each of the following three weeks sending follow-up emails.  The best-case scenario is that the CFE walks out of the meeting with all the information requested in hand or its location identified and ready to start reviewing and testing. The worst-case scenario is that the CFE leaves the meeting without the requested information, but now knows where the supporting documentation is located and can pull the information him or herself. Regardless of the outcome, the auditor has spent time building a stronger relationship with the client’s business process owners and may have received some valuable information related to that department or business process that could never have been obtained through a seemingly endless email drive.

The Dually Certified CFE

CautionGirlWe all know that public and private sector auditors of all kinds are stretched critically thin during these times of straited administrative budgets.  But I also know from personal experience that Chief Audit Executives (CAE’s) everywhere are continually on the lookout for cross trained staff, with potential staff members who have the ability, training and experience to perform some mix of fraud, financial, operational and IT audits in especially high demand.  For that reason fraud examiners new to the profession have a special need of a broad understanding of how the generic audit process works so as to make the strongest contribution to their employer’s overall audit effort.

The primary role of assurance and risk control professionals within any organization is to continually, independently and objectively assess the controls, fraud risks, reliability and integrity of the enterprise environment.  These assessments can help maintain or improve the efficiency and effectiveness of the organization’s overall risk management, internal controls and corporate governance.  Those dually certified as fraud examiners as well as CPA’s, CIA’s and CISA’s can evaluate corporate objectives, plans, strategies, and policies and procedures to ensure adequate management oversight of fraud risk, thereby reducing actual instances of fraud, waste and abuse.  Anti-fraud recommendations developed during the fraud risk assessment process can complement control strengthening recommendations developed and presented to management by other members of the organizational control assurance team.

I would argue that dually certified CFE’s are in an especially powerful position to add value to the performance of internal financial, operational and compliance auditing assignments.  The CFE’s expertise regarding the red flags of financial statement fraud can be an integral part of any financial audit.  A financial statement audit, or more accurately, an audit of financial statements, is a review of an enterprise’s financial statements that results in the publication of an independent opinion on the relevance, accuracy, completeness and fairness (RACF) of the presentation of the financial statements.  Internal auditors of all types don’t opine on the company’s financial results, but, as part of their annual audit plans, constantly perform substantive tests on financial balances to verify RACF.  The CFE and other members of the internal audit team conduct periodic analyses, reviews and tests of the financial accounting system; successful passing of the tests decreases the amount of associated risk and provides valid input for adjustments to the fraud risk assessment.

Operational auditing is the process of reviewing a division or department of the enterprise, government or non-profit organization to measure the effectiveness, efficiency and economy of operations.  This is an evaluation of management’s performance and conformity with policies and budgets.  The objective is to appraise the effectiveness and efficiency of a division, an activity or an operation in meeting organizational goals.  Ineffective and inefficient operations are a breeding ground for management and employee dissatisfaction and constitute a red flag of management fraud.  As an example, a poorly or incompletely implemented automated control system is an open invitation for exploitation by internal fraudsters who always know the faulty system better than management.

Internal assurance professionals conduct compliance audits to gauge organizational adherence to regulatory guidelines, local, State and Federal.  Elements to be evaluated depend on whether the enterprise is a public or private sector entity, what kind of data it handles, and whether or not it transmits or stores sensitive personal client and financial data.  A glance at the newspaper should be enough to convince anyone of the costs involved in State and Federal regulatory violations and any such violations are only exacerbated by instances of fraud.  There can be no question of the role that can be played by the experienced CFE in compliance auditing.  Fraud prevention controls are part of compliance and these controls must be fully integrated into the organization’s overall plan for compliance in order for the enterprise to pass State and Federal audits of the use of taxpayer funds.  Considerations of fraud prevention must be involved in all facets of compliance auditing.

From the CFE’s perspective the main differences among internal financial, operational and compliance auditing are the purpose of the audit, inclusion of non-financial business processes and cost/benefit versus verification.  Financial audits, as their name denotes, focus on an enterprise’s financial results.  Compliance and operational audits can focus on hidden numbers and costs that could be reduced, once more demonstrating a strict focus on adherence, efficiency, effectiveness and process improvement.

Because of ubiquitous staff and other budget related limitations, the world of intra-enterprise control assurance is moving toward a more integrated approach.  CFE’s, especially those new to the profession and those who are dually certified,  should not hesitate to extend their competence to participate as team members in the conduct of financial, operational and compliance audits.  Strict lines between the various types of assurance professionals can only continue to dissolve because separating each audit approach in its individual stove pipe is neither efficient nor effective.  So don’t be afraid to step out of your comfort zone; the experience makes for better auditors and better audits.

Is the Horse Back in the Barn?

ComputersI attended an excellent lunch hour presentation the other day by a chief internal auditing executive (CAE) on the importance of following up on internal audit findings. It occurs to me that some of the same follow-up techniques developed by internal auditors could enhance the value of the services performed by CFEs and forensic accountants as well.  The Institute of Internal Auditors ‘International Standards for the Professional Practice of Internal Auditing’ stipulate that a follow-up process is essential to monitor and ensure that management’s corrective actions have been implemented effectively or that senior management has accepted the risk of not taking action.  As CFE’s become more involved in the process of on-going fraud risk assessment and other fraud related services to client managements, it seems to me that following-up on the functioning of remediation controls has to become a more vital aspect of the anti-fraud planning process, but especially in the wake of every formally identified and investigated fraud.

Additionally, a defined process to follow up on our fraud examination engagements is likely to be of great value in assisting clients in improving  organizational fraud prevention overall.  Following a fraud, management and other corporate stakeholders are understandably looking for as much reasonable assurance as they can get that corrective and remediative actions have been taken within a reasonable time frame and are effective in mitigating future fraud related risk.  The idea here is that, as valuable as the findings of the fraud report are in themselves, their greatest value is as a guide to the prevention of future frauds.  An example of this might be the identification of specific fraudulent provider claims in a health care payment system.  If management, building on the fraud report, can adjust the edits of its claims payment system to prevent future, similar fraudulent claims from even paying, then there is, in effect, no future fraud, at least regarding these specific types of claims.  One of the great advantages of the application of analytics to paid claims in health care fraud is that it guides the creation of edits to prevent fraud on the front end (pre-payment), as opposed to fraudulent payment identification after the fact (focused on often futile attempts at payment recovery).

I’m not suggesting that every fraud examination we conduct needs to be thoroughly followed-up.  Decisions about when and how to follow up on the control vulnerabilities identified during a specific fraud examination can certainly be open to interpretation depending on the circumstances of the identified fraud and of the culture of the client organization itself.  It seems to me that fraud examiners would need to consider several factors before recommending a post investigation, fraud follow up process of some kind to client management.   First, every fraud is significant because even a fraud of minor appearance can mask, or be a component of, a larger fraud; with that said fraud examiners should ponder the significance of their reported findings, the degree of effort they feel would be required to implement remediation, the associated costs and benefits as well as the complexity of the proposed anti-fraud corrective actions and the time required to implement them.

Depending on the client organization’s corporate culture, it seems to me we could take a leaf from the internal auditor’s playbook and recommend to the client a follow up on the fraud report’s implications for control improvement six months after the issue date of the fraud report.  I say six months because it’s equally important to ensure that management has sufficient time to implement fraud remediation as it is for the fraud examiner to gather appropriate information to support the follow up engagement (which may include testing a sample of previously vulnerable transactions and obtaining adequate supporting documentation to determine whether management corrected the deficiencies and problems that created the initial vulnerability to fraud in the first place).

The most valuable product of the follow up is an updated fraud risk assessment, which assessment, if properly set up, already serves as a tracking system, enabling management to see that its efforts towards improving the efficiency and effectiveness of the organizations fraud prevention program are bearing fruit.  In addition to an updated fraud risk assessment and the documentation of the update process, additional benefits of the fraud engagement follow-up include:

–ensuring that corrective actions related to fraud remediation have been fully implemented;
–providing up-to-date status reporting for fraud remediation;
–highlighting control issues that continue to pose a fraud threat to the organization.

A formalized fraud follow-up process can be a useful tool for fraud examiners and client management alike going beyond the ‘is the horse back in the barn?’ focus of management in the wake of a fraud by 1) ensuring that fraud remediation efforts are implemented or otherwise adequately addressed, 2) by improving control deficiencies and contributing to the management of future fraud risks and 3) by strengthening protection of those corporate assets vulnerable to the ethically challenged.

Effective Over sight of Emerging Fraud Risk

graduationLet’s face it. On-going change management related to the enterprise risk management (ERM) process of any medium to large organization can be a daunting, almost overwhelming task.  The challenge represented by this vital work is only compounded by the difficulty of gathering and sifting intelligence from a diverse and ever changing management team with varying levels of experience and armed with differing agendas.  We know from COSO that an overall organizational posture of good ERM management begins with the entity’s risk framework and related governance architecture sharply focused on the decision making process directing fraud risk mitigation.  But in such a heap of distinctly differing management roles and responsibilities (many seemingly codified in stone), how do we get the data we need to identify contemporaneous critical changes to the organization’s risk appetite and then manage emerging fraud risk based on that changing appetite?  For upper management and for the fraud examiner immersed in such an environment, effective risk mitigation becomes the ultimate challenge and, as we all know, you can’t do a very effective job of mitigating a threat you can’t see.

You can recommend to upper management that one way to address its problem of the lack of systematically gathered intelligence about on-going and emerging fraud risks is to implement a forum structure in which its designated business process risk owners can regularly meet to share information with management about ongoing oversight of their changing individual risk profiles.

There’s no question that some fraud related risks are coming on faster than others.  Confronted with the on-going, special challenges of codifying digital system related hacking risks (especially the risk of the theft of identity related data) now across all industries, the need for management to aggressively confront the risk identification/mitigation gap has never been more acute; I would argue that periodically scheduled, internal risk identification forums are a cheap and surprisingly effective way to increase the level of upper management’s level of actionable intelligence on this increasingly critical topic.  It never ceases to surprise me just how much operating managers actually know about the threats that confront them if they’re provided with the right context for sharing the information.

A formalized emerging risk forum composed of key operating managers (risk owners in COSO terms) and (if management is willing), including a knowledgeable consulting fraud examiner, does a number of important things for your client upper management as it struggles with identifying a multitude of emerging fraud risks while lacking insight as to how to effectively deal with any of them:

–Communication is facilitated between upper management and business process risk owners who may not be in regular direct contact with one another.  Risk owners from one division or operating unit may have a partial conception of a fraud risk or scenario but not a view of the entire risk posed by the full scenarios as portrayed by the consulting fraud examiner.  The regular meetings of the fraud risk forum constitute a setting where participants can compare notes about the many different types of fraud risks which, in the opinion of participants, when taken together, might constitute a pattern or catalogue of risk types confronting the organization.   In my experience, these types of regular discussions can uncover risks, currently thought to be small, that in combination may be exposing the organization to a more elevated level of risk than anticipated and thus deserving of a higher level of attention for mitigation.

–Every organization has silos between, and even within, it’s functioning operational and administrative components. Regularly scheduled risk forums allow process owners to build strong working relationships with each other and to draw from their collective experience and expertise regarding what they individually and collectively perceive as threats to the organization.

–Risk forums provide senior management, the chief security officer (if there is one) and business continuity planning staff a platform from which to consistently communicate the big picture to business process owners about developments that may affect risk management in their individual operational divisions or subsidiaries; an example would be the movement of financial systems housed locally to a cloud based solution, occasioning a change in the overall financial risk profile of the organization.

–The contextual environment in which information is shared can be crucial for its credibility.  Allowing participants to use the collective stature and influence of the forum to present their opinions about risk and mitigation solutions lends overall weight to the deliberations for all participants. Presentation in the forum addresses the problem that individual business process owners may not have the personal stature in the organization to make fraud risk related mitigation recommendations that business unit leaders would be inclined to consider seriously.  It goes without saying that there must be no retaliation for anything said in an emerging risk forum if the exercise is to have any on-going value to management.

So, once again, we fraud examiners can perform a valuable service to our respective client organizations by recommending the creation of fraud risk control and mitigation structures like the emerging risk forum.  The fraud examiner’s knowledge of fraud scenarios and of effective ways to mitigate the multitude of risks often represented by such scenarios (combined with existing relationships with senior managers and corporate counsel)  place him or her in a powerful position to add value to the challenging process of fraud risk identification and mitigation.

A Frame-Work for an Anti-Fraud Policy Process

banner

trumpet-10One of our readers, currently working in Thailand for an English multi-national oil company as a senior security officer, posted a question over last weekend about the steps involved in setting up the overall framework of a fraud control policy process for her local office.   One approach to establishing a fraud control policy process is to view overall fraud control policy as existing in three layers—corporate, administrative, and operational.  Collectively, the layers represent the control policy of the organization; however, each layer has a particular purpose, or role that directly impacts the anti-fraud policy created and who uses it.

The corporate fraud control policy is strategic in nature and supports the corporate objectives, business processes, and controls that guide the organization as a whole.  It’s also closely aligned to the strategic planning process and enterprise risk assessment (see Enterprise Risk Management related blog posts on this site). This policy is created at the executive level and tends to be broad in scope and application.  Properly constructed, corporate fraud control policy should be minimal in volume and should only require occasional (annual) review and updating.  This policy should be heavily influenced by the board of directors and is typically subject to their direct review and approval since it will lead and tie seamlessly into the corporate Code of Ethics and Conduct (perhaps as an introduction to the Code).

Administrative fraud control policy is created by service departments such as finance, human resources, supply-chain management and information technology.  These functions are sometimes collectively referred to as organizational controls because the anti-fraud controls defined within their policies are applied across the organization regardless of the business activity.  As such these policies set the rules by which personnel interact with each other within the organization on a daily basis.  Critical to the fraud control objective, administrative controls guide management in using resources (the frequent target of frauds) efficiently and in achieving business objectives.  Administrative policy is typically the most easily managed anti-fraud policy layer because its functions are relatively stable, and the policies (if appropriately available and employees trained in their use) are referenced frequently by most employees.  Consequently, they tend to remain reasonably current, as the employees responsible for them perform recurring control activities that require them to update these policies to reflect changes in the business and control environment.  A downside to administrative fraud control policy is that it’s often the most voluminous policy layer and so subject to the most change.

Operational policy is the largest area of the fraud control policy structure and is most closely linked to individual business processes.  It’s also the layer which, in my opinion, typically contains the most challenges and deficiencies.  Each operational business process within the organization requires some level of anti-fraud policy to guide its management and staff in day-to-day fraud prevention.  Business is constantly changing and fraud scenarios are constantly evolving right along with it; the infection of fraud is part of the mix of general business growth, decline, market changes, regulatory and environmental requirements, competition, economic boom and bust, and the overall desire of the company to flourish for its stockholders and other stakeholders. If the operational fraud control policy does not match this velocity of change, the risk increases that operational decisions will be made by individual bad actors that no longer align to the anti-fraud objectives of upper management and the board.   For this reason organizations should include in their anti-fraud policy process provision for a periodic assessment of the entire process, from the top to the bottom of all three layers.  

Fraud examiners are ideally qualified to conduct such reviews as they have the necessary knowledge and objectivity to deliver a comprehensive assessment to management.  The fraud examiner also brings the necessary communication and facilitation skills to both explain, and where necessary, to instruct management at all levels on the appropriate steps to take to address any anti-fraud policy deficiencies or to strengthen the process itself.  Communication, technology, policy ownership and the policy process itself are the key issues fraud examiners should consider when evaluating any anti-fraud policy process.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

Is There a Doctor in the House? Your Annual ERM Checkup

NutcrackerI’ve been working these last few weeks helping a consulting client review this year’s performance of its Enterprise Risk Management System (ERM); the system was extended a few years ago beyond the company’s financial business processes to all 150 of the remaining business processes of the enterprise.  This “annual physical” is as important for the maintenance of the health of a risk management system as it is for the physical health of your doctor’s patients, since both represent on-going, process dependent,  projects.  There are many well-documented benefits of performing such an annual project review across all your client’s ERM component business processes, including enterprise wide integration of updated risk evaluation, review standardization, enhanced fraud prevention, and the streamlined reporting of review results to upper management.

The annual ERM health check typically features interviews with key business process owners and a review of ERM documentation to determine if key related controls are functioning as intended, whether project related tasks are being completed on time and within budget, if ERM objectives are being achieved and if the risks related to those business processes critical to the ongoing success of the business are being managed effectively.

Your review should also determine if key annual prerequisites have been defined for the ERM project (e.g., business ownership, governance, and project definition).  Has the organization identified a single point of accountability for its ERM project…the answer to this questions often isn’t obvious…I’ve found that precise, overall responsibility for the ERM project is often fragmented,  constituting a significant control weakness for the organization.

You should also look for a quality assurance process for the ERM project; what mechanisms are in place to ensure that on-going risk updates and related items of critical documentation are of consistent quality; this can only be determined by some kind of consistently occurring, concurrent,  quality assurance process.

Are the right people, devoting the right amount of time, to work involving the ERM project?  Often, by necessity, the on-going completion of ERM related tasks is assigned as one or more collateral projects to business process owners whose primary jobs are something else; that’s fine if the product is ultimately reviewed by some higher level of management.  I look for some kind of competency frame-work to assure that those working on ERM related assignments represent the best human capital the company can muster given the risk expertise related requirements of the assignments.

Is there evidence that the enterprise even manages change well enough generally to be able to identify changing risks to its business processes?  Change management is a professional discipline and risk assessment is a major component of that discipline.  The discipline of change management is now well established and must be somehow integrated into your client’s ERM project by someone having authority with both the ERM project team and with senior levels of client management; this is critical for the success of the project.

With the foregoing as general background, your annual check-up of the health of your client’s (or employer’s) ERM project might include getting answers to the following (or similar) general questions:

–Is the ERM project properly sponsored by the highest levels of management?
–Is there a business case and defined budget for ERM?
–Is there a documented, formal approach to manage ERM included risks, risk scenarios, fraud scenarios and related issues and communications?
–Is there a detailed ERM annual work plan that is actively monitored by business process owners and by compliance professionals like internal auditors, fraud examiners and fiscal controllers?
–Are ERM human resource related roles and responsibilities defined clearly?
–Is the ERM project delivering what was requested of it by management at its inception?
–Is infrastructure in place to support daily project operation?
–Have all ERM project milestones been achieved to date?

When the check up is complete, be sure to evaluate the performance of the check-up itself by performing and documenting a short check-up critique.  This step is important since, hopefully,  you’ll being doing another check up next year.  What went well with the check up and thus could be leveraged to improve the process in the future?  What process related issues were encountered and how were they resolved?

Your annual ERM checkup will provide independent  corporate governance oversight to help keep the ERM project on track and, ultimately, could make the difference between long term ERM project success or failure.

Fraud Risk Prioritization – Quick & Dirty Fraud Risk Assessment

Money_GreyWe fraud examiners often have very limited resources in the trenches of an actual investigation to perform the sometimes extensive fraud risk evaluations necessitated by the facts of the case.  Good professional practice dictates that our scarce resources be assigned to activities that offer the greatest return to our client’s case.  During the investigation of a complex fraud, the fraud examiner may have occasion to investigate other client functions besides those initially thought to be directly impacted by the primary fraud; the question may arise on the part of employing counsel as to just how vulnerable a client under investigation may be to specific fraud schemes in general. This has a bearing on how wide spread the primary fraud scheme and any directly related corollary  schemes might be within the body of the organization.

I’ve found that an effective field work oriented, fraud risk prioritization scheme can be constructed out of the following steps: 1) identify fraud risk dimensions; 2) identify fraud risk characteristics; 3) analyze fraud risk characteristics and 3) assess fraud risk.

Fraud risk dimensions are factors such as the size of the client firm business process subject to the fraud, the general history of fraud within the organization as a whole and the apparent structure of the specific fraud scenario under investigation.  The objective of identifying fraud risk dimensions is to categorize fraud risk by the determinant, or causal factor, for that risk. Fraud risk characteristics within a dimension or determinant are more closely related than the characteristics between dimensions. Identification of risk dimensions provides input for forming an opinion as to the degree of client management of fraud risk within the business process subject to the fraud and for the selection of specific characteristics for investigation by the fraud examiner.

Fraud risk characteristics are the attributes of the victim enterprise that are known to create exposures for fraud.  The presence or absence of these attributes in the entity under investigation can often be used to predict the behavior of the fraud scenario.  An analogy would be predicting the probability of a heart attack by correlating risk characteristics that include an individual’s blood pressure, weight, family health history, smoking and dietary habits and so on.

The analysis of fraud risk characteristics consists of the fraud examiner determining the degree of importance of each fraud risk characteristic in representing the magnitude of total fraud risk.  This analysis assigns weights to individual characteristics among the population of characteristics.

The assessment of fraud risk involves the development of a fraud risk score.  The fraud risk score is the sum of the assigned point values corresponding with the magnitude of risk for each identified fraud characteristic.  The most common scoring method (and the least complicated for an examiner in the field) is to divide a general risk characteristic into specific subcategories.   For example, if the client business process being evaluated for the impact of a possible fraud falls into the high risk category of the client company’s business processes, it would be assigned three points.  Business processes in the medium-risk category would receive two points.  Low risk business processes would be assigned one point.  If a more sophisticated scoring method is desired, just assign weights of comparative importance to the individual characteristics.

The scores and information gathered during the quick and dirty, field work related fraud risk analysis can be used as a basis for allocating fraud examination resources.  Priorities can be derived specific to the case; for example,  for the examination team to review automated support systems or, perhaps, high fraud risk aspects of those systems as opposed to manual processes which are less at risk given the fraud scenario under investigation. Medium-risk aspects of the business processes suspected of possible involvement in the scenario would get a more cursory review.

The objective of the field oriented fraud risk assessment is to improve the fraud examination process by directing field work to the areas of highest risk, thereby increasing examination effectiveness and lowing client costs.

Privacy Impact Analysis

WrenchesI was a participant in a security forum last week in Northern Virginia on the topic of data privacy in general and its implications for fraud examination specifically.   One of my fellow speakers made a very forceful case for the performance of privacy impact analysis by any corporation holding large amounts of customer data.  Her argument was that a privacy impact analysis should be a key component of every corporate security management program.  The objective of this type of assessment is to ensure that the risk of exposing personally identifiable information is contained at every level of  the organization… every business process composing the enterprise needs to be separately assessed for its vulnerability to privacy threats, not just the business functions directly related to information management.

By identifying vulnerabilities throughout the entire book of business processes constituting its enterprise, an organization can significantly reduce the possibility of identity theft occurring at different stages of its business cycle and safeguard the client information entrusted to its care.  My colleague argued that a privacy impact assessment creates a structured process for analyzing non-technical and technical privacy requirements and compliance with relevant regulation, all of which can be dovetailed neatly into the organization’s enterprise risk management (ERM) effort.

For the risks identified by the privacy impact analysis found to be above an acceptable level, our speaker recommended three additional steps. First, conduct the necessary research and fully, not partially, implement appropriate prevention techniques, tools and corporate policy changes.  Second, make sure that there’s a sound, tested recovery plan in place in case of a successful attack involving loss of personal information. Third, develop an effective incident response plan well in advance of an actual attack.  Those of you involved in ERM will be familiar with each of these steps; taken together they demonstrate due diligence and should lessen legal liability somewhat should an unpreventable  breech occur.  This is important because customers and investors alike quickly lose confidence in proportion to any negative corporate news but especially when it’s perceived that the due diligence required to safeguard customer information was absent.  A major event can cause a corporation to lose credibility and business to a competitor  This obviously effects share price which in turn can lead to a sell-off by investors.  Such an occurrence can be devastating to a corporation , possibly to the extent that it cannot recover.

Public policy, embodied in current law, requires that organizations must notify their customers and clients when privacy breeches occur.  These notifications are usually accompanied by a year of free credit bureau oversight or credit watch services so customers can monitor their credit reports for evidence of identity theft; all this remediation is costly and embarrassing and just the sort of situation the privacy impact analysis is designed to prevent.

A final point has to do with employees.  Knowledge is power.  If employees are aware of how identify theft of customer data occurs and succeeds, they can take many steps, as part of their routine daily duties, to prevent it.  So don’t exclude the privacy awareness level of the work force as a critical score element from the privacy impact analysis; if there are identified privacy related weaknesses involving corporate staff, don’t hesitate to address them and quickly.  The ACFE has emphasized in study after study that work force fraud awareness training is one of the most effective fraud deterrence tools there is.