Category Archives: Enterprise Risk Management

Regulators & Silos

I was reading last week on LinkedIn about a large, highly regulated, financial institution that was defrauded over a long period of time by two different companies, both of which where its suppliers. To add insult to injury, subsequent investigation by a CFE revealed that the two vendors were subsidiaries of a third, which proved also to be a supplier of the victim concern; all three cooperated in the fraud and our victim was completely unaware prior to the investigation of any relationship between them; the kind of ignorance that can draw intense regulatory attention.

This is not as uncommon an occurrence as many might think but it is illustrative of the fact that today’s companies are increasingly forced to expend resources simply trying to understand and manage the complex web of relationships that exist between them and the organizations and people with which they deal; that is, if they want to avoid falling victim to frauds running the whole gamut from the simple to the complex. Such efforts involve gaining perspective on individual vendors and customers but extend far beyond that to include sorting through and classifying corporate hierarchies and complex business-to-business relationships involving partners, suppliers, distributors, resellers, contacts, regulators and employees.

These complex, sometimes overlapping, relationships are only exacerbated by dynamic geographic and cross-channel coordination requirements, and multiple products and customer accounts (our victim financial organization operates in three countries and has over 4,000 employees and hundreds of vendors). No fraud prevention program can be immune in the face of these challenges.

Financial companies that want to securely deliver the best experience to their stakeholders within intensified regulatory constraints need to provide themselves with a complete picture of all the critical parties in their relationships at the various points of service in the on-going process of company operations. The ability to do this requires that organizations have a better understanding of the complicated hierarchies and relationships that exist between them and their stakeholders. You cannot manage what you cannot see and you certainly cannot adequately protect it against fraud, waste and abuse.

The active study of organizational hierarchies and relationships (and their related fraud vulnerabilities) is a way of developing an integrated view of the relationship of risk among cooperating entities such as our CFE client companies between their affiliates, customers and partners, across multiple channels, geographies or applications. The identification of organizational relationships can help our client companies clearly and consistently understand how each of their affiliates, business divisions and contacts within a single multi-national enterprise fit within a broader, multidimensional context. Advanced organizational management approaches can help organizations track when key people change jobs within and between their related affiliates, vendors and companies. Advanced systems can also identify these individuals’ replacements feeding a database of who is where, vital to shifting patterns of enterprise risk.

Our client financial companies that take the time to identify and document their organizational relationships and place stakeholders into a wider hierarchical context realize a broad range of fraud, waste and abuse prevention related benefits, including:

• Enhanced ability to document regulatory compliance;
• More secure financial customer experiences, leading to enhanced reputation, increased loyalty and top-line growth;
• More confident financial reporting and more accurate revenue tracking;
• Reduction of over-all enterprise fraud risk;
• More accurate vetting of potential vendors and suppliers;
• More secure sales territory and partner program management;
• Improved security program compliance management;
• More accurate and effective fraud risk evaluation and mitigation.

The ability to place stakeholders within hierarchical context is invaluable to helping companies optimize business processes, enhance customer relationships and achieve enterprise-wide objectives like fraud prevention and mitigation. Organizations armed with the understanding provided by documented relationship contexts can improve revenues, decrease costs, meet compliance requirements, mitigate risk while realizing many other benefits.

As with our victimized financial enterprise, a company without relational data regarding vendors and other stakeholders can be unknowingly dealing with multiple suppliers who are, in fact, subsidiaries of the same enterprise, causing the company to not only inadvertently misrepresent its vendor base but, even more importantly, increase its vulnerability to fraud. Understanding the true relational context of an individual supplier may allow a company to identify areas of that vendor’s organization that represents enhanced internal control weakness or fraud risk. Conversely, an organization may fail to treat certain weakly controlled stakeholders strategically because the organization is unaware of just how much business it is doing with that stakeholder and its related subsidiaries and divisions.

Risk management has always been a core competency for organizations in general and for financial institutions in particular. However, integrated enterprise risk management (ERM) practices and corporate governance disciplines are now a regulatory imperative. Any institution that views corporate governance as merely a compliance exercise is missing the mark. Regulatory compliance is synonymous with the quality of the integrated ERM framework. Risk and control are virtually inseparable, like two sides of a coin, meaning that risks first must be identified and assessed, and then managed and mitigated by the implementation of a strong system of internal control. Accurate stake holder relational data is, therefore, critical to the effectiveness of the overall ERM process.

In today’s environment, the compliance onus rests with the regulated. In a regulatory environment where client enterprise ignorance of the situation in the client’s own overall enterprise is no longer a defense, responsibility for compliance now rests with the board and senior management to satisfy regulators that they have implemented a mature fraud prevention framework throughout the organization, effectively managing risk from the mailroom to the boardroom.

An integrated control framework with more integrated risk measures, both across risk types and economic and regulatory capital calculations, is warranted. Increased demands for self-attestation require elimination of fragmentation and silos in business and corporate governance, risk management, and compliance.

Compliance needs to be integrated into the organization’s ERM base fraud prevention framework, thereby making the management of regulatory risk a key part of effective overall compliance. Compliance needs to be seen as less of a function and more as an institutional state of mind, helping organizations to anticipate risk as well as to avoid it. Embedding compliance as a corporate discipline ensures that fraud prevention controls are entrenched in people’s roles and responsibilities more effectively than external regulations. The risk management function must not only address the compliance requirements of the organization but must also serve as an agent for improved decision making, loss reduction and competitive advantage within the marketplace.

Organizations can approach investments in corporate governance, relationship identification, risk management practices and regulatory compliance initiatives as one-off, isolated activities, or they can use these investments as an opportunity to strengthen and unify their risk culture, aligning best practices to protect and enhance stakeholder value. A silo-based approach to fraud prevention will not only be insufficient but will also result in compliance processes layered one upon the other, adding cost and duplication, and reducing the overall agility of our client’s business; in effect, increasing risk. This piecemeal reactive approach also leaves a gap between the processes designed to keep the organization in line with its regulatory obligations and the policies needed to protect and improve the franchise. Organizations are only as strong as their weakest components, like the links in a chain.

The ACFE tells us that people tend to identify with their positions, focusing more on what they do rather than on the purpose of it. This leads to narrowed vision on the job, resulting in a myopic sense of responsibility for the results produced when all positions interact. ln the event of risk management breakdowns or when results are below expectations, it is difficult for people to look beyond their silo. The enemy is out there syndrome, a byproduct of seeing only one’s own position, results in people quickly blaming someone or something outside themselves, including regulators, when negative events like long running frauds are revealed and retreating within the perceived safety of their fortress silo. This learning disability makes it almost impossible to detect the leverage that can be used on issues like fraud prevention and response that straddle the boundary between ‘us’ and ‘them’.

However, it is particularly disconcerting that the weakest numbers by industry sector, including financial services, occur in the ACFE studies measuring organization wide accountability and people’s understanding of their accountability. My personal feeling is that much of the reason for this low score is the perpetuation of organizational silos resulting from management’s failure to adequately identify and document all of its stakeholders’ cross-organizational relationships.

Beyond the Sniff Test

Many years ago, I worked with a senior auditor colleague (who was also an attorney) who was always talking about applying what he called “the sniff test” to any financial transaction that might represent an ethical challenge.   Philosophical theories provide the bases for useful practical decision approaches and aids like my friend’s sniff test, although we can expect that most of the executives and professional accountants we work with as CFEs are unaware of exactly how and why this is so. Most seasoned directors, executives, and professional accountants, however, have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis. To their minds, if these preliminary tests give rise to concerns, a more thorough analysis should be performed using any number of defined approaches and techniques.

After having heard him use the term several times, I asked my friend him if he could define it.  He thought about it that morning and later, over lunch, he boiled it down to a series of questions he would ask himself:

–Would I be comfortable as a professional if this action or decision of my client were to appear on the front page of a national newspaper tomorrow morning?
–Will my client be proud of this decision tomorrow?
–Would my client’s mother be proud of this decision?
–Is this action or decision in accord with the client corporation’s mission and code?
–Does this whole thing, in all its apparent aspects and ramifications, feel right to me?

Unfortunately, for their application in actual practice, although sniff tests and commonly used rules are based on ethical principles and are often preliminarily useful, they rarely, by themselves, represent a sufficiently comprehensive examination of the decision in question and so can leave the individuals and client corporations involved vulnerable to making unethical decisions.  For this reason, more comprehensive techniques involving the impact on client stakeholders should be employed whenever a proposed decision is questionable or likely to have significant consequences.

The ACFE tells us that many individual decision makers still don’t recognized the importance of stakeholder’s expectations of rightful conduct. If they did, the decisions made by corporate executives and by accountants and lawyers involved in the Enron, Arthur Andersen, WorldCom, Tyco, Adephia, and a whole host of others right up to the present day, might have avoided the personal and organizational tragedies that occurred. Some executives were motivated by greed rather than by enlightened self-interest focused on the good of all. Others went along with unethical decisions because they did not recognize that they were expected to behave differently and had a duty to do so. Some reasoned that because everyone else was doing something similar, how could it be wrong? The point is that they forgot to consider sufficiently the ethical practice (and duties) they were expected to demonstrate. Where a fiduciary duty was owed to future shareholders and other stakeholders, the public and personal virtues expected (character traits such as integrity, professionalism, courage, and so on), were not sufficiently considered. In retrospect, it would have been wise to include the assessment of ethical expectations as a separate step in any Enterprise Risk Management (ERM) process to strengthen governance and risk management systems and guard against unethical, short-sighted decisions.

It’s also evident that employees who continually make decisions for the wrong reasons, even if the right consequences result, can represent a high governance risk.  Many examples exist where executives motivated solely by greed have slipped into unethical practices, and others have been misled by faulty incentive systems. Sears Auto Center managers were selling repair services that customers did not need to raise their personal commission remuneration, and ultimately caused the company to lose reputation and future revenue.  Many of the classic financial scandals of recent memory were caused by executives who sought to manipulate company profits to support or inflate the company’s share price to boost their own stock option gains. Motivation based too narrowly on self-interest can result in unethical decisions when proper self-guidance and/or external monitoring is lacking. Because external monitoring is unlikely to capture all decisions before implementation, it is important for all employees to clearly understand the broad motivation that will lead to their own and their organization’s best interest from a stakeholder perspective.

Consequently, decision makers should take motivations and behavior expected by stakeholders into account specifically in any comprehensive ERM approach, and organizations should require accountability by employees for those expectations through governance mechanisms. Several aspects of ethical behavior have been identified as being indicative of mens rea (a guilty mind).  If personal or corporate behavior does not meet shareholder ethical expectations, there will probably be a negative impact on reputation and the ability to reach strategic objectives on a sustained basis in the medium and long term.

The stakeholder impact assessment broadens the criteria of the preliminary sniff test by offering an opportunity to assess the motivations that underlie the proposed decision or action. Although it is unlikely that an observer will be able to know with precision the real motivations that go through a decision maker’s mind, it is quite possible to project the perceptions that stakeholders will have of the action. In the minds of stakeholders, perceptions will determine reputational impacts whether those perceptions are correct or not. Moreover, it is possible to infer from remuneration and other motivational systems in place whether the decision maker’s motivation is likely to be ethical or not. To ensure a comprehensive ERM approach, in addition to projecting perceptions and evaluating motivational systems, the decisions or actions should be challenged by asking such questions as:

Does the decision or action involve and exhibit the integrity, fairness, and courage expected? Alternatively, does the decision or action involve and exhibit the motivation, virtues, and character expected?

Beyond the simple sniff test, stakeholder impact analysis offers a formal way of bringing into a decision the needs of an organization and its individual constituents (society). Trade-offs are difficult to make, and can benefit from such advances in technique. It is important not to lose sight of the fact that the concepts of stakeholder impact analysis need to be applied together as a set, not as stand-alone techniques. Only then will a comprehensive analysis be achieved and an ethical decision made.

Depending on the nature of the decision to be faced, and the range of stakeholders to be affected, a proper analysis could be based on any of the historical approaches to ethical decision making as elaborated by ACFE training and discussed so often in this blog.  A professional CFE can use stakeholder analysis in making decisions about financial fraud investigations, fraud related accounting issues, auditing procedures, and general practice matters, and should be ready to prepare or assist in such analyses for employers or clients just as is currently the case in other areas of fraud examination. Although many hard-numbers-oriented executives and accountants will be wary of becoming involved with the “soft” subjective analysis that typifies stakeholder and ethical expectations analysis, they should bear in mind that the world is changing to put a much higher value on non-numerical information. They should be wary of placing too much weight on numerical analysis lest they fall into the trap of the economist, who, as Oscar Wilde put it: “knew the price of everything and the value of nothing.”

Fraud, ERM & Wells Fargo

wells-fargo_2Could a fully functional Enterprise Risk Management (ERM) program have prevented or otherwise somehow mitigated the Wells Fargo fraud?

As a concept Enterprise Risk Management (ERM) is almost four decades old now and has been repeatedly battle-tested in both private and public organizations around the world as a proven approach to addressing risk in organizations of all sizes by effectively and efficiently concentrating management’s attention on the areas of highest risk to the critical business processes of the enterprise. I don’t have to tell readers of this blog that today’s fiscal realities call for continual and increased efforts to both reduce costs and still deliver optimal customer service; both objectives have a direct impact on fraud prevention because they increase the pressure on management, especially financial and marketing management to meet ever higher sales and earnings performance standards.  The ongoing debacle at Wells Fargo is a case in point of such pressures out of control at seemingly every level of the organization.

ERM was introduced as a management concept in 1974 when a Swedish state risk manager, Gustav Hamilton, identified four elements that are inextricably connected in a risk management process: assessment, control, financing and communications. He called this comprehensive view “the circle of risk” and the concept has continued to evolve in the years since. In September 2004, COSO issued, Enterprise Risk Management—Integrated Framework, a method to systematically consider and manage risk across an enterprise. COSO’s premise is that value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. COSO’s bottom line is that ERM helps an entity get to where it wants to go and avoid pitfalls and surprises like what has overtaken Wells Fargo along the way.  The ultimate goal of ERM for fraud prevention is two-fold: remediate risks (especially the risk of fraud, waste and abuse) to acceptable levels, and eliminate unnecessary controls, processes and ideally, costs. Potential benefits, such as improved service delivery, increased control and cost savings are just some of those documented in the literature. At the heart of ERM is a holistic, integrated, future-focused and process- oriented approach that facilitates the management of risk across an enterprise as opposed to looking at it only within siloed organizational entities. The ERM process focuses on “the right things” and can identify processes and procedures that do not measure up to performance, cultural standards and cost-benefit ratios defined by the entity.

Fraud risk programs align well with ERM concepts. Fraud risk programs start with establishing the risk appetite of the enterprise and are governed by policies that articulate the goals and objectives, ethical conduct standards, roles and responsibilities, strategies and tactics of implementation specific to addressing fraud risk. As with other types of ERM programs, fraud programs include deterrence strategies, preventive internal controls, routine measurement of performance and results, as well as program accountability and transparency to stakeholders. Additionally, there is special emphasis on cyber fraud, given the reliance on information technology to carry out the mission of today’s typical organization. Partnerships between organizational and program management are strong, given the linkage between the programs and their associated fraud risks. ERM also strongly supports whistleblower programs, another area of increasing attention and stakeholder priority.

News reports tell us that those Wells Fargo employees who attempted to fill the whistleblower role at many points in the employee initiated fraud were first disciplined for their efforts and then terminated.

COSO’s ERM framework is premised on four underlying principles. How might each (and all collectively) have benefited Wells Fargo beforehand to avoid the present mess?

–Every entity exists to provide stakeholder value.
Sales goals that are all but impossible to meet and which force employees to sign up customers for services they neither ordered or needed provide no value to the customer, to the employees, to Wells Fargo stockholders or to the public at large.

–All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. This translates to making trade-offs in establishing the level of acceptable risk to assume.
By fostering a culture of corruption among its employees by firing them for not making unrealistic sales goals, it can be argued that Wells Fargo failed to accurately assess both its level of fraud risk and its appetite for such risk.

–Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to more effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Under the COSO model Wells Fargo failed to prioritize risks that might jeopardize its corporate mission, effectiveness and efficiency. It also appears that it lacked a mechanism to take prompt action to stop the basic employee fraud scenario from persisting and spreading to more and more employees.  Only after the fact did it halt its program of unrealistic employee sales goals.

–Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.
The application of this principle features ongoing monitoring of the performance of the risk model.  Clearly, at the first signs of the fraud, Wells Fargo would have reassessed risk, set risk to the maximum and taken immediate steps to shut down the identified fraud scenario(s).

As a fraud examiner and auditor there are a number of questions I ask my corporate clients to ask themselves that are, in my opinion, critical to both identifying the risk involved with ERM generally and the business processes vulnerable to fraud specifically.

–What keeps you up at night?
–What do we not want to see on the news or in blogs?
–What are the expectations of stakeholders?
–What do we want to make sure happens and happens well?
–What problems have developed or emerged in other organizations that could be a problem in our company as well?
–What controls are now in place? What do we know about how they are working? What do we know about their cost and benefit?
–What level of control can we reasonably afford and how do we get the most bang for the buck?
–What changes have taken place in the company or external to the it that may have introduced new risks?

Would ERM have helped Wells Fargo?  I don’t know whether the bank presently has an ERM program or not but clearly the process as defined by COSO would have helped in providing a risk monitoring and immediate remediation mechanism to reassess risk in responding to the first whistleblower call alerting to the existence of the employee assisted fraud.  And there is no doubt that the forensic accounting and CFE community can play an important role in providing needed leadership and technical assistance to any organization implementing a dynamic, ERM supported, fraud response plan.  As the Wells Fargo experience and so many other instances suggest, the time has come to use the full potential of enterprise risk management as a tool to assist in the identification and rapid remediation of frauds before the costs to all stakeholders become unacceptably high.

The Straight Scoop on Risk

risk-assessmentAny practicing auditor will tell you that information requests, getting the information needed to perform an audit or review, can be one of the most frustrating aspects of any audit work and the information requests involved with fraud risk assessments are no exception.  To successfully complete his or her assessment the CFE must develop a thorough understanding of the client’s overall system of internal control, with special emphasis on those controls over financial transactions that reduce or mitigate fraud risk.  Information requests usually signal the transition from planning to fieldwork for the CFE. How the request for that information is made sets the tone for the assessment, and can help or hurt the CFE-to-client relationship. It can also positively or negatively impact the overall achievement of review objectives, so it’s important to spend the time to get this step right.

It’s been my experience that reviewers new to CFE practice tend to compile their requests for information hastily under the assumption that the sooner they request the information; the sooner they’ll get the reply. However, as we’ve all experienced, information requests can get lost, forgotten, or ignored, and weeks can go by with no response.  Since CFE’s aren’t generally easily deterred, the problem is typically addressed by sending follow-up emails, leaving voice mails, and, as a last resort, knocking on the CFO’s office door in an attempt to get all the requested information prior to the start of serious fieldwork. And the initial request is only the beginning. During some reviews, information requests seem to never end. If the first request was for a list of key customers, a second request for invoicing procedures soon follows and the whole request process starts all over again moving like an arrow straight on through to the end of the assessment.

An alternative way around all this requires a little more work on the front-end but organizes requests so that they are received by the target data source quicker, questions are answered faster, and the CFE builds a stronger relationship with the client.  This is done by scheduling a formal, face to face meeting with the provider of the target information in his or her office immediately following the entrance conference with the CEO, corporate counsel or audit committee who engaged the CFE. The CFE should ask for and receive permission from the CEO before any information is requested from subordinate staff.  The upper management sanctioned meeting with targeted business process expert staff (say the CFO or Chief Information Systems Officer-CIFO) takes place prior to any formal information request being submitted in writing.

Meeting with the targeted business process staff in this way has many benefits and, in my experience, is well worth the time. In addition to supporting a general discussion about what information is available, it’s often possible to obtain some of the requested items themselves during the face-to-face.  I’ve often been directed to the information I want on the company databases simply by directly asking the CIFO for it.  Such meetings are invaluable to the CFE since they provide an opportunity to improve her knowledge of the business and strengthen her relationship with business process owners.  This approach doesn’t excuse CFE’s from doing all he or she can beforehand to develop as much understanding as possible of what items of information they would like to request during the meeting; this is because it’s common to learn something new about the control system of a business process in a meeting with a process expert that makes some aspect of the original request irrelevant. The best way to avoid this is to have developed a solid overview of the fraud risk assessment process, its steps and objectives, so the CFE can quickly regroup and make a new request that better satisfies the complete, overall assessment objective.

During the meeting(s) with individual process owners the CFE should provide a brief overview of the assessment and its objective(s); this will help communicate the reason for the specific information requests. Through an easy give and take the CFE can explore with the process expert where the requested information is housed and how it might best be accessed. A benefit of this approach is that all clients appreciate having the assessment objectives and requests explained to them in person. They are more willing to provide the documentation and answer the inevitable follow-up questions that arise later because they have a clear understanding of what is needed and why.  If, during the discussion with the process expert, the reviewer realizes a change needs to be made to a request, it can be addressed in real time. This also saves the CFE from having to send an embarrassing email apologizing because he or she inadvertently requested the wrong information.

Following discussion of all the requests, the CFE should consider wrapping up the meeting by asking a few questions about how the business is doing, if any new initiatives are being undertaken, if that new financial system software is meeting expectations, etc. Anything learned about the business will improve the CFE’s ability to make fraud prevention recommendations and may identify other areas of fraud vulnerability to look into at a later time.  Working to obtain this useful control related information is much easier face-to-face than over the phone or via email.

After the meetings with the client’s business process expects are finished, the CFE and his or her team (if any) will be able to start testing immediately because most of the requested documentation has been obtained or its location identified. Another benefit to this approach is efficiency, because it can significantly reduce the time spent waiting and following up with the business process owner. It also allows the CFE to use his or her time effectively.

It is much better to spend one hour with the client up front than to spend an hour each of the following three weeks sending follow-up emails.  The best-case scenario is that the CFE walks out of the meeting with all the information requested in hand or its location identified and ready to start reviewing and testing. The worst-case scenario is that the CFE leaves the meeting without the requested information, but now knows where the supporting documentation is located and can pull the information him or herself. Regardless of the outcome, the auditor has spent time building a stronger relationship with the client’s business process owners and may have received some valuable information related to that department or business process that could never have been obtained through a seemingly endless email drive.

When a Fraud Goes Public

reputation

Download Our Chapter’s Free App RVACFES on Google-Play!

There’s a high probability that every fraud examiner, during the course of his or her career, will work on at least one fraud that hits the newspapers.  Your client and its counsel will undoubtedly turn to you as a member of the investigative team for input, especially, as is most frequently the case, the whole experience will be new to them. Given the overwhelming importance of corporate on-line and off-line reputation as a driver of value and with sustainability as a strategic concern, the bottom-line value of communicating with all corporate publics about both tangible and intangible events affecting performance has risen. This is doubly the case with a sensitive issue like a publicized fraud. Today, the ACFE tells us, intangible assets can account for as much as 70 percent of the value of a business. They include brand, employee loyalty, credibility, trust, and (perhaps of most importance) reputation. In a world continually rocked by corporate governance and other scandals, attention to reputation risk is proving more important than ever. Because organizations derive that reputation from how their various stakeholders and publics perceive their performance, behavior, and actions in the goldfish bowl of social media, the need for more careful management of the public information interface is also vital but especially so in a crisis.

The ACFE also reports that a growing number of major global companies are investing substantial resources to manage their reputational risk, and have increased their efforts to do so over the last five years. Indeed, 82 percent of risk managers report their companies are making a “substantial” effort to manage reputational risk, and 81 percent said they’ve increased their focus on reputational risk during the last 36 months. That’s partly because risk managers recognize the difficulty most enterprises have attempting to wrap their corporate arms around the nuances of just what a reputation is and what risks it faces, and also because less than half of the executives surveyed said the management of reputational risk was “highly integrated” with their enterprise risk management (ERM) function or another risk oversight program.

During the fraud risk assessment process many CFE’s have likely suspected or even warned that the actions that some of their client enterprises were taking or planning to take – especially those related to over-the-top spending or perceived lapses in corporate ethical judgement – might not be viewed today with the stakeholder disinterest they once were.   Now, every management must deal with reputational risks that were not necessarily reputational risks in the past, and they must deal with changes – rapid in many cases given social media – in the public’s estimation of what is and isn’t acceptable corporate behavior.

Any publicized fraud, major or minor, impacts the corporate reputation and serves as proof that all of its key fraud risks are intertwined; each risk can impact others. Losses to fraud impact reputation just as surely as bad strategic decisions. To help minimize the negative effects of these intertwined threats, organizations should consider identifying risk champions within the organization, including the CEO, the president, regional presidents, and, sagely, the marketing director, whose roles would include not only monitoring and reporting on on-going reputational risks but, acting as a committee,  in actively shaping the corporate response to a publicized fraud.  These champions routinely look for reputational risks as part of their day-to-day activities, arranging for corporate auditors to test anti-fraud controls and look at policies and procedures that might carry some type of reputational risk.  Likewise, every member of management should be sensitized to be aware of reputational risks and educated to identify areas for audit that, in their opinion, are not being managed correctly and thus likely represent loci of developing fraud-related threats to the enterprise’s good name.

Organizations which haven’t experienced a publicized fraud often overlook the multifaceted nature of reputational risk and the need to consider it at the inherent level, rather than focusing, as so many organizations do, on reputational risk at the lower, residual level; damage to reputation is never just a residual effect and should never be viewed as such. This judgment error can leave managements complacent about the magnitude of damage a threat to the company’s reputation can cause. A sense of comfort with the expected perceived control level can make many boards and executives not think about the inherent, potentially devastating reputational risks that are always lurking around every corner.  Never forget, the world’s response to a damaged reputation is faster and harsher today than ever before.

Just how fast social media can change and affect the public’s opinion of any company is something of which many organizations are still insufficiently aware.  Although companies cannot prevent anti-company commentary related to a fraud on social media sites, they can monitor them and possibly influence them. It’s doubtful that many of today’s client senior management were taught the practice of determining potential reputational risks and of monitoring a corporation’s response to them on social media.  CFE’s need to recommend that client companies expand their public mood-tracking activities to these venues when actually responding to and addressing a published fraud.

The management of reputational risk during a publicized fraud requires a constantly updated, fresh approach to what could happen and the reverberations it could have throughout an enterprise’s public universe. Financial responsibility as one type of reputational risk that is not new; as consumers become more actively involved in narratives involving stock market manipulation and corporate corruption, companies are more at risk for being labeled as ‘irresponsible’ if they don’t have a perceived high level of corporate governance. Worldwide slow economic growth has made the reputational risk of all corporate related missteps a greater threat to any company because it simply might not be able to recover from a financial fraud fallout as quickly as it might have in high growth times. Slow growth may also lead more employees to engage in the kind of activity – fraud, theft, quality corner-cutting – that can damage an organization’s reputation and the general public is well of aware of the fact.

Helping client companies manage reputational risk during their response to publicized frauds, including that risk in their fraud risk assessments and then on-going reassessment of the performance of risk related  controls is an area where CFE’s can add tremendous value at very little incremental cost; doing so will certainly add value to the overall fraud prevention effort. And don’t overlook training front line employees in their role in protecting the corporate reputation.

Thoughtful, coordinated management of the fallout from a publicized fraud is the difference between a company stumbling blindly into a far worse reputation debacle than necessary, and heading off disaster by acting swiftly to contain the reputational damage and move the organization forward. CFE’s have a critical role to play in all of this.

Fraud Reports as Road Maps to Future Fraud & Loss Prevention

portfolio-3There are a number of good reasons why fraud examiners should work hard at including inclusive, well written descriptions of fraud scenarios in their reports;  some of these reasons are obvious and some less so.  A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud.  It’s been my experience that well written reports, in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.   A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board.  They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur.   The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its re-occurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves.   A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore,  only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling.  A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome.  Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate.   The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can be many and related.  Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls  work as separate lines of defense,  at times in a sequential way, and at other times interacting with each other to help prevent the occurrence of the adverse event.  The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts.  Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation.  If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them.  These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time.  This question is best answered by involved managers, in particular with the loss prevention manager.  If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence.  Is it the worst case loss, or the most likely or median loss?  In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization.  Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face).  Documented control failures should always be clearly associated with the losses.  Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine their fraud prevention programs.  Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the fraud risk assessment ongoing process for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

The Dually Certified CFE

CautionGirlWe all know that public and private sector auditors of all kinds are stretched critically thin during these times of straited administrative budgets.  But I also know from personal experience that Chief Audit Executives (CAE’s) everywhere are continually on the lookout for cross trained staff, with potential staff members who have the ability, training and experience to perform some mix of fraud, financial, operational and IT audits in especially high demand.  For that reason fraud examiners new to the profession have a special need of a broad understanding of how the generic audit process works so as to make the strongest contribution to their employer’s overall audit effort.

The primary role of assurance and risk control professionals within any organization is to continually, independently and objectively assess the controls, fraud risks, reliability and integrity of the enterprise environment.  These assessments can help maintain or improve the efficiency and effectiveness of the organization’s overall risk management, internal controls and corporate governance.  Those dually certified as fraud examiners as well as CPA’s, CIA’s and CISA’s can evaluate corporate objectives, plans, strategies, and policies and procedures to ensure adequate management oversight of fraud risk, thereby reducing actual instances of fraud, waste and abuse.  Anti-fraud recommendations developed during the fraud risk assessment process can complement control strengthening recommendations developed and presented to management by other members of the organizational control assurance team.

I would argue that dually certified CFE’s are in an especially powerful position to add value to the performance of internal financial, operational and compliance auditing assignments.  The CFE’s expertise regarding the red flags of financial statement fraud can be an integral part of any financial audit.  A financial statement audit, or more accurately, an audit of financial statements, is a review of an enterprise’s financial statements that results in the publication of an independent opinion on the relevance, accuracy, completeness and fairness (RACF) of the presentation of the financial statements.  Internal auditors of all types don’t opine on the company’s financial results, but, as part of their annual audit plans, constantly perform substantive tests on financial balances to verify RACF.  The CFE and other members of the internal audit team conduct periodic analyses, reviews and tests of the financial accounting system; successful passing of the tests decreases the amount of associated risk and provides valid input for adjustments to the fraud risk assessment.

Operational auditing is the process of reviewing a division or department of the enterprise, government or non-profit organization to measure the effectiveness, efficiency and economy of operations.  This is an evaluation of management’s performance and conformity with policies and budgets.  The objective is to appraise the effectiveness and efficiency of a division, an activity or an operation in meeting organizational goals.  Ineffective and inefficient operations are a breeding ground for management and employee dissatisfaction and constitute a red flag of management fraud.  As an example, a poorly or incompletely implemented automated control system is an open invitation for exploitation by internal fraudsters who always know the faulty system better than management.

Internal assurance professionals conduct compliance audits to gauge organizational adherence to regulatory guidelines, local, State and Federal.  Elements to be evaluated depend on whether the enterprise is a public or private sector entity, what kind of data it handles, and whether or not it transmits or stores sensitive personal client and financial data.  A glance at the newspaper should be enough to convince anyone of the costs involved in State and Federal regulatory violations and any such violations are only exacerbated by instances of fraud.  There can be no question of the role that can be played by the experienced CFE in compliance auditing.  Fraud prevention controls are part of compliance and these controls must be fully integrated into the organization’s overall plan for compliance in order for the enterprise to pass State and Federal audits of the use of taxpayer funds.  Considerations of fraud prevention must be involved in all facets of compliance auditing.

From the CFE’s perspective the main differences among internal financial, operational and compliance auditing are the purpose of the audit, inclusion of non-financial business processes and cost/benefit versus verification.  Financial audits, as their name denotes, focus on an enterprise’s financial results.  Compliance and operational audits can focus on hidden numbers and costs that could be reduced, once more demonstrating a strict focus on adherence, efficiency, effectiveness and process improvement.

Because of ubiquitous staff and other budget related limitations, the world of intra-enterprise control assurance is moving toward a more integrated approach.  CFE’s, especially those new to the profession and those who are dually certified,  should not hesitate to extend their competence to participate as team members in the conduct of financial, operational and compliance audits.  Strict lines between the various types of assurance professionals can only continue to dissolve because separating each audit approach in its individual stove pipe is neither efficient nor effective.  So don’t be afraid to step out of your comfort zone; the experience makes for better auditors and better audits.

Information System Security Policy & Elevated Fraud Risk

South-America-2It should be a surprise to no one, given recent news stories, that failure to comply with State and Federal laws and regulations regarding IT security policies poses a threat to our corporate client’s that can be far more damaging than any physical event.  What is surprising is how often instances of such regulatory non-compliance are accompanied by management, financial, and other frauds directly tied to weak, or non-existent, security policies.   Although many organizations claim to be performing risk management to some degree, a recent Information Systems Audit & Control Association (ISACA) survey suggests that many still use a fragmented, highly manual or incomplete approach to managing IT risk.  In many instances a stripped down continuity of operations planning approach (COOP) is taken, largely ignoring internal threats like IT risk and over-emphasizing known and more infrequent external risks like earthquakes, fires, supply chain disruption problems and pandemics; the primary focus is on basic disaster recovery, business continuity and other contingency plans apart from the comprehensive approach to internal control based IT risk management represented by a fully functioning Enterprise Risk Management System (ERM) as envisioned by COSO.

An information security policy that doesn’t cover all client information system elements, including customer data, programs, computers, networks, facilities, people and processes is an open door for government prosecutors trying to demonstrate a lack of due diligence and/or prove reckless disregard.

Since the IT security value of each element and the need to protect it based on security parameters (confidentiality, integrity, availability) varies for different organizations, a systematic fraud risk assessment is essential as a foundation on which to base the formulation of a set of sound IT security policies.

For her client organization the fraud examiner has to identify the key components of its information systems; what are the applications, servers and networks?  There has to be some kind of rating of the IT components in terms of the security risk they represent; are they, by rank, critical, vital, sensitive, non-critical?  Then, in the fraud examiner’s opinion, what is the fraud vulnerability associated with these information systems and what are the corresponding external and internal threats to each element of the systems?  What are the potential risks from these specific threats to the business and what existing controls of the client address these risks?   Only when the residual IT fraud risks that the enterprise has identified as acceptable have been identified (after identified risk reduction, avoidance and transfer) is it possible to examine the impact of fraud related compliance risk with relevant laws and regulatory requirements.   It’s been my experience that this last exercise can be quite an eye opener because one or more of the following has most likely happened, resulting in some set of potentially adverse consequences for both regulatory compliance and potential fraud exposure:

–under competitive pressure, IT security policy is no longer current as a result of rapid changes in the organization’s risk profile due to evolution of business functions or processes and to IT and communication systems, such as computer networks and applications;
–operating departments were insufficiently involved in original IT security policy formulation and, therefore, have no sense of ownership of or involvement with the policy;
–existing IT security  policy is not based on the results of a comprehensive risk assessment;
–amendments to legal and regulatory compliance requirements which the organization has not addressed;
–developments such as new encryption and data security technologies;
–effective communication of the information security policy to all employees, partners, vendors and key customers has not taken place, hence the policy is legally unenforceable.  The fraud examiner should attempt to determine and document the various ways management has chosen to communicate its IT policy throughout the organization;
–compliance with the IT security policy has been left to choice or chance with no effective mechanism(s) to ensure the compliance of all stakeholders;
–there are insufficient, specific instructions converting the relevant preventative, detective and corrective controls into actionable steps for each of the security elements. Examples of such actionable instructions are 1) having each staff member sign off that they understand the IT security policy and their responsibility for compliance and 2) management framing email policy and rules for the use of the Internet.

Well defined IT security policy is not only a tool to comply with and reduce regulatory exposure; it provides strategic value by reducing fraud risk.  Conversely, an ineffective policy may provide a false sense of security, weaken the entire system of internal control, lead to inefficient control monitoring, to untimely detection of breaches and increased losses and legal sanctions.

Effective Over sight of Emerging Fraud Risk

graduationLet’s face it. On-going change management related to the enterprise risk management (ERM) process of any medium to large organization can be a daunting, almost overwhelming task.  The challenge represented by this vital work is only compounded by the difficulty of gathering and sifting intelligence from a diverse and ever changing management team with varying levels of experience and armed with differing agendas.  We know from COSO that an overall organizational posture of good ERM management begins with the entity’s risk framework and related governance architecture sharply focused on the decision making process directing fraud risk mitigation.  But in such a heap of distinctly differing management roles and responsibilities (many seemingly codified in stone), how do we get the data we need to identify contemporaneous critical changes to the organization’s risk appetite and then manage emerging fraud risk based on that changing appetite?  For upper management and for the fraud examiner immersed in such an environment, effective risk mitigation becomes the ultimate challenge and, as we all know, you can’t do a very effective job of mitigating a threat you can’t see.

You can recommend to upper management that one way to address its problem of the lack of systematically gathered intelligence about on-going and emerging fraud risks is to implement a forum structure in which its designated business process risk owners can regularly meet to share information with management about ongoing oversight of their changing individual risk profiles.

There’s no question that some fraud related risks are coming on faster than others.  Confronted with the on-going, special challenges of codifying digital system related hacking risks (especially the risk of the theft of identity related data) now across all industries, the need for management to aggressively confront the risk identification/mitigation gap has never been more acute; I would argue that periodically scheduled, internal risk identification forums are a cheap and surprisingly effective way to increase the level of upper management’s level of actionable intelligence on this increasingly critical topic.  It never ceases to surprise me just how much operating managers actually know about the threats that confront them if they’re provided with the right context for sharing the information.

A formalized emerging risk forum composed of key operating managers (risk owners in COSO terms) and (if management is willing), including a knowledgeable consulting fraud examiner, does a number of important things for your client upper management as it struggles with identifying a multitude of emerging fraud risks while lacking insight as to how to effectively deal with any of them:

–Communication is facilitated between upper management and business process risk owners who may not be in regular direct contact with one another.  Risk owners from one division or operating unit may have a partial conception of a fraud risk or scenario but not a view of the entire risk posed by the full scenarios as portrayed by the consulting fraud examiner.  The regular meetings of the fraud risk forum constitute a setting where participants can compare notes about the many different types of fraud risks which, in the opinion of participants, when taken together, might constitute a pattern or catalogue of risk types confronting the organization.   In my experience, these types of regular discussions can uncover risks, currently thought to be small, that in combination may be exposing the organization to a more elevated level of risk than anticipated and thus deserving of a higher level of attention for mitigation.

–Every organization has silos between, and even within, it’s functioning operational and administrative components. Regularly scheduled risk forums allow process owners to build strong working relationships with each other and to draw from their collective experience and expertise regarding what they individually and collectively perceive as threats to the organization.

–Risk forums provide senior management, the chief security officer (if there is one) and business continuity planning staff a platform from which to consistently communicate the big picture to business process owners about developments that may affect risk management in their individual operational divisions or subsidiaries; an example would be the movement of financial systems housed locally to a cloud based solution, occasioning a change in the overall financial risk profile of the organization.

–The contextual environment in which information is shared can be crucial for its credibility.  Allowing participants to use the collective stature and influence of the forum to present their opinions about risk and mitigation solutions lends overall weight to the deliberations for all participants. Presentation in the forum addresses the problem that individual business process owners may not have the personal stature in the organization to make fraud risk related mitigation recommendations that business unit leaders would be inclined to consider seriously.  It goes without saying that there must be no retaliation for anything said in an emerging risk forum if the exercise is to have any on-going value to management.

So, once again, we fraud examiners can perform a valuable service to our respective client organizations by recommending the creation of fraud risk control and mitigation structures like the emerging risk forum.  The fraud examiner’s knowledge of fraud scenarios and of effective ways to mitigate the multitude of risks often represented by such scenarios (combined with existing relationships with senior managers and corporate counsel)  place him or her in a powerful position to add value to the challenging process of fraud risk identification and mitigation.

A Frame-Work for an Anti-Fraud Policy Process

banner

trumpet-10One of our readers, currently working in Thailand for an English multi-national oil company as a senior security officer, posted a question over last weekend about the steps involved in setting up the overall framework of a fraud control policy process for her local office.   One approach to establishing a fraud control policy process is to view overall fraud control policy as existing in three layers—corporate, administrative, and operational.  Collectively, the layers represent the control policy of the organization; however, each layer has a particular purpose, or role that directly impacts the anti-fraud policy created and who uses it.

The corporate fraud control policy is strategic in nature and supports the corporate objectives, business processes, and controls that guide the organization as a whole.  It’s also closely aligned to the strategic planning process and enterprise risk assessment (see Enterprise Risk Management related blog posts on this site). This policy is created at the executive level and tends to be broad in scope and application.  Properly constructed, corporate fraud control policy should be minimal in volume and should only require occasional (annual) review and updating.  This policy should be heavily influenced by the board of directors and is typically subject to their direct review and approval since it will lead and tie seamlessly into the corporate Code of Ethics and Conduct (perhaps as an introduction to the Code).

Administrative fraud control policy is created by service departments such as finance, human resources, supply-chain management and information technology.  These functions are sometimes collectively referred to as organizational controls because the anti-fraud controls defined within their policies are applied across the organization regardless of the business activity.  As such these policies set the rules by which personnel interact with each other within the organization on a daily basis.  Critical to the fraud control objective, administrative controls guide management in using resources (the frequent target of frauds) efficiently and in achieving business objectives.  Administrative policy is typically the most easily managed anti-fraud policy layer because its functions are relatively stable, and the policies (if appropriately available and employees trained in their use) are referenced frequently by most employees.  Consequently, they tend to remain reasonably current, as the employees responsible for them perform recurring control activities that require them to update these policies to reflect changes in the business and control environment.  A downside to administrative fraud control policy is that it’s often the most voluminous policy layer and so subject to the most change.

Operational policy is the largest area of the fraud control policy structure and is most closely linked to individual business processes.  It’s also the layer which, in my opinion, typically contains the most challenges and deficiencies.  Each operational business process within the organization requires some level of anti-fraud policy to guide its management and staff in day-to-day fraud prevention.  Business is constantly changing and fraud scenarios are constantly evolving right along with it; the infection of fraud is part of the mix of general business growth, decline, market changes, regulatory and environmental requirements, competition, economic boom and bust, and the overall desire of the company to flourish for its stockholders and other stakeholders. If the operational fraud control policy does not match this velocity of change, the risk increases that operational decisions will be made by individual bad actors that no longer align to the anti-fraud objectives of upper management and the board.   For this reason organizations should include in their anti-fraud policy process provision for a periodic assessment of the entire process, from the top to the bottom of all three layers.  

Fraud examiners are ideally qualified to conduct such reviews as they have the necessary knowledge and objectivity to deliver a comprehensive assessment to management.  The fraud examiner also brings the necessary communication and facilitation skills to both explain, and where necessary, to instruct management at all levels on the appropriate steps to take to address any anti-fraud policy deficiencies or to strengthen the process itself.  Communication, technology, policy ownership and the policy process itself are the key issues fraud examiners should consider when evaluating any anti-fraud policy process.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!