Category Archives: Fraud, Waste and Abuse Detection Systems

Program Integrity Federalism

From time to time someone among our newer Chapter members working in the insurance industry reports confronting instances of Medicaid and Medicare fraud for the first time. I thought it might be helpful to present some of the more common health care fraud scenarios that beginning fraud examiners are likely to confront in actual practice in the governmental health care space.

Abuses of the Medicaid and Medicare programs exist in myriad shapes and sizes and continue to evolve constantly. While Medicaid and Medicare fraud, waste and abuse appear to be the most egregious program issues, incidental and accidental waste also threaten program integrity, including outright criminal exploitation of governmental health care payments. Altogether, the overpayment of Medicaid and Medicare dollars represents the largest portion of misused government money, accounting for 59 percent of the $102.2 billion the government improperly distributed among all its agencies in 2017 (ACFE). Issues involving these exorbitantly expensive improper payments can be attributed, in part, to the complexities of the programs themselves and to ever-changing policies among the various states.

It’s important for new anti-fraud practitioners to be aware that while Medicaid and Medicare are considered universal programs, each state is able to operate its own version of the programs autonomously and independent of any collective standard. This autonomy creates wide-ranging policy inconsistencies due to the differences among states, and, in many ways, embodies the ideals of American federalism. How states administer programs like Medicaid and Medicare is largely influenced by the bureaucratic style employed by the state legislature. These variations and inconsistencies can facilitate inaccuracies and misunderstandings in every aspect of both programs, from recipient eligibility, billing protocols, coding standards and licensure requirements. Doctors offering Medicaid or Medicare services are not easily able to transfer their practices from one state to another without first exploring expectations and requirements of the new state. These hard state boundaries create the potential for provider, beneficiary and administrative confusion, which ultimately equates to billions of program dollars misappropriated each year.

Beyond the innocent misappropriation of program dollars are the much more serious problems with the Medicaid and Medicare programs manifesting in the form of illicit and purposeful instances of fraud, waste and abuse perpetrated by recipients and providers. Medicaid and Medicare identity theft (instances of which have been recently investigated by one of our Chapter members) much like general identify theft, has continually resurfaced as a bane since the programs’ inception. It is estimated that three percent of $50 billion of the nation’s annual identity theft losses is associated with some type of medical identity theft. Because of their likelihood of being enrolled in government-facilitated insurance programs like Medicare or Medicaid, individuals aged 50 or older are most likely to fall victim to this type of identity theft. Fraudsters steal these identities to access services, such as prescriptions for drugs with high black-market value i.e. OxyContin, Fentanyl and Morphine, intended for legally enrolled, authorized recipients. Once the prescription is obtained, the thieves sell the drugs for cash or abuse them themselves.

A similar identity theft scheme involves the sale of durable medical equipment prescribed to recipients. By stealing a beneficiary’s Medicaid or Medicare number, the perpetrator can place orders for equipment i.e. slings or braces, all paid for through program dollars, and re-sell the goods online or via newspaper classifieds for cash.

Physicians participating in the Medicaid and Medicare programs also have access to a wide range of possible fraud, waste and abuse schemes. Double billing is a common provider fraud scheme that involves the submission of duplicate claims to Medicaid or Medicare in an attempt to receive double the amount of payment for services that were only provided once. Those physicians wise to the high detectability of billing duplicate claims to either program via simple data analysis will also often send one bill to a private insurance company and a duplicate bill to Medicaid or Medicare so that the duplication does not appear within one data set. Other fraud schemes include up-coding bills to Medicare or Medicaid to represent more complex, lengthy or in-depth procedures when a simpler or lower-level service was actually provided or performed.

Usually, complex procedures are paid at a higher dollar amount than their simpler counterparts, which leads providers to be paid more money than what they actually earned during the office visit or procedure. This fraud scheme takes advantage of small but specific variations in the current procedural terminology (CPT) coding system standardized for both Medicaid and Medicare coverage. Similar to up-coding is the fraudulent unbundling of CPT codes billed as individual entities that per regulation should be grouped together and billed under one umbrella code. Usually, the umbrella code pays a discounted rate for all the services combined. Each individual code gets paid an amount that, when totaled together, equals more than what the umbrella code pays.

Dishonest Medicaid and Medicare providers also bill for services that are not medically necessary. In this scheme, providers perform and bill for services and/or testing beyond what patient need requires. Under this scheme, hospital stays are lengthened, additional diagnostic testing is ordered, entitled hospice enrollment is invoked too early, and equipment and tools are wasted for beneficiaries who really require less care and fewer services. This fraud scheme not only wastes program dollars but also strains other areas of the general healthcare system by inducing and allowing individuals to linger, thus monopolizing unnecessary services and care that could be better applied to other more worthy beneficiaries. But please be aware, while Federal regulation does not contain a definition of medical necessity, states are granted authority to develop and apply medical necessity criteria as they see fit. Providing and billing for services beyond the required needs of the beneficiary may be intentional and/or fraudulent, but because of differing state criteria, instances where unnecessary services are provided and billed may also be simply accidental or well-intentioned.

Anti-fraud professionals of all kinds should also bear in mind that, while Medical identity theft, double billing, up-coding, unbundling and billing for services not medically necessary represent only a portion of the known problems and schemes that weaken the Medicaid and Medicare programs, there are many other types of program fraud, waste and abuse occurring on a daily basis that have yet to be discovered; in this area of practice, expect the unexpected. According to the ACFE, in the past 27 years the Federal government has recovered approximately $24 billion in settlements or judgments against individuals and organizations who committed both accidental and purposeful healthcare fraud, waste and abuse.

On a state level, another $15 billion has been recouped from criminal fines and civil settlements resulting from the prosecution of healthcare fraudsters. While the $39 billion in recovered overpayments from the last 27 years is only enough to cover a small percentage of one year’s total program costs, the amount of overpayment dollars recovered each year by the Federal and state governments is growing exponentially. On average only about $1.4 billion in overpayments was recovered during that time period. However, in 2016 alone, $3.1 billion in healthcare fraud judgments and settlements was recovered by the Federal government. As Medicaid and Medicare fraud, waste and abuse schemes and problems become more prevalent their financial toll increases. Federal and state governments are also detecting and reclaiming money back on a larger scale. This increase can be attributed to developments in policy created to prevent and identify fraud, increased investigative and program integrity funding, and technological improvements in fraud detection programs, databases and software; Certified Fraud Examiners (CFE’s) will increasingly find themselves at the forefront of the effort to strengthen health care program integrity at the Federal level and within each state.

Getting Out of Your Own Way

One of the most frequently requested topics for ACFE lead instruction concerns the art of fraud interviewing, one of the most complex and crucial disciplines of the many comprising the fraud examination process. And at the heart of the interviewing process lies communication. As we all know, communication is the process of effectively sending and receiving information, thoughts, and feelings. First and foremost, an effective interviewer is an effective communicator and being an effective communicator depends on building rapport. According to the ACFE, if you don’t establish rapport with a subject at the outset of the fraud interview, the possibilities of your spotting anything are very low. Rapport is the establishment of a connection between two individuals that is based on some level of trust and a belief in a relationship that is mutually beneficial to both parties.

The interviewer who thinks s/he will find a cooperative subject without making a connection with that individual is in for a disappointment. Rapport is determined by our attitude toward the subject. Just as we as interviewers use our powers of perception to “read” the subject, the subject reads us as well. If s/he senses condemnation, superiority, hostility, or deceit, you can expect little but superficial cooperation from any interaction. Besides, above all else, as the experts tell us, we are professionals. As professionals, personal judgments have no place in an interview setting. Our job is to gather information empirically, objectively, and without prejudice towards our subjects. Why do we identify with and speak more freely to some people? We are naturally drawn to those with whom we share similar characteristics and identities. Techniques and tools are important, but only to the extent that they complement our attitude toward the interview process. So, effective communication is not what we do – it’s who we are.

And along with rapport, the analysis of the quality of the interaction between both interview participants is critical to the communication process. An interview is a structured session, ideally between one interviewer and one subject, during which the interviewer seeks to obtain information from a subject about a particular matter. And just as we signal each other with voice pitch and body language patterns when we’re sad, angry, delighted, or bored, we also display distinct patterns when trying to deceive each other. Fortunately for those of us who interview others as part of our profession, if we learn to recognize these patterns, our jobs are made much simpler. Of course there is no single behavior pattern one can point to and say “Aha! This person is being deceptive!” What the professional can point to is change in behavior. Should a subject begin showing signs of stress as our questions angle in a certain direction, for example, we know we have hit an area of sensitivity that probably requires further exploration. If you interview people regularly, you probably already know that it is more likely for a subject to omit part of the story than actually lie to you. Omission is a much more innocuous form of deceit and causes less anxiety than fabricating a falsehood. So even more importantly than recognizing behavior associated with lying, the interviewer must fine tune her skills to also spot concealment patterns.

ACFE experts tell us that each party to a fraud interview may assume that they understand what the other person is conveying. However, the way we communicate and gather information is based in part on which of our senses is dominant. The three dominant senses, sight, hearing, and touch influence our perceptions and expressions more than most realize. A sight dominant subject may “see” what you are saying and tell you he wants to “clear” things up. An auditory dominant person may “hear” what your point is and respond that it “sounds” good to him. A touch dominant person may have a “grasp” of what you are trying to convey, but “feel uncomfortable” about discussing it further.

By analyzing a subject’s use of words, an interviewer can identify his or her dominant sense and choose her words to match. This helps strengthen the rapport between interviewer and subject, increasing the chances of a good flow of information. Essential, of course, to analyzing and identifying a subject’s dominant senses are good listening skills. Effective communication requires empathetic listening by the interviewer. Empathetic listening and analysis of the subject’s verbal and nonverbal communication allows us to both hear and see what the other person is attempting to communicate. It is the information that is not provided and that is concealed, that is most critical to our professional efforts.

By developing your listening abilities, practicing them with others with whom you communicate every day, the vast array and inexhaustible variations of the human vocabulary are bound to strike you. The most effective way to communicate is with clear, concise sentences that create no questions. However, the words we choose to use, and the way that we say them, are limited only by what is important to us. A subject, reluctant or cooperative, will speak volumes with what they say, and even more significantly, what they don’t say. Analysis of the latter often reveals more than the information the subject actually relates. For instance, the omission of personal pronouns could mean unwillingness on the part of the subject to identify himself with the action.

One final note of caution. If you ask the experts about the biggest impediment to an effective interview, they will probably give you a surprising answer. Most experienced interviewers will tell you that often the greatest impediment to a successful interview is the interviewer. Most interviewers use all of their energies observing and evaluating the subject’s responses without realizing how their own actions and attitudes can contaminate an interview. In fact, it is virtually impossible to conduct an interview without contaminating it to some extent. Every word used, the phrasing of a question, tone, body language, attire, the setting – all send signals to the subject. The effective interviewer, however, has learned to contaminate as little as possible. By retaining an objective demeanor, by asking questions which reveal little about what s/he already knows, by choosing a private setting and interviewing one subject at a time, s/he keeps the integrity of the interview intact to the best of her ability.

Sniffing it Out

The first Virginia governor I worked for directly was John Dalton, who was fond of saying that his personal gauge for ethically challenged behavior was the smell test, i.e., did any proposed action (and its follow-on implications) have the odor of appropriateness. Philosophical theories provide the bases for most useful practical decision approaches and aids, although a majority of seasoned executives are unaware of how and why this is so. Whatever the foundation of the phenomena may be, most experienced directors, executives, professional accountants (and governors) appear to have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis.

If these preliminary tests give rise to concerns, most think a more thorough analysis should be performed. It is often appropriate (and quite common in practice) for subordinate managers and other employees to be asked to check a proposed decision in a quick, preliminary manner to see if an additional full-blown ethical or practicality analysis is required. These quick tests are often referred to as sniff tests. If any of these quick tests are negative, employees are asked to seek out someone like the corporate counsel or an ethics officer (if there is one) for consultation, or to personally perform a full-blown analysis of the proposed action. This analysis is usually retained, and perhaps even reviewed by upper management.

Some of the more common sniff tests employed by managers with whom I’ve worked are:

–Would I be comfortable if this action or decision were to appear on the front page of a national newspaper tomorrow morning?
Will I be proud of this decision?
Will my mother and father be proud of this decision?
Is this action or decision in accord with the corporation’s mission and code?
Does this feel right to me?

Unfortunately, although sniff tests and commonly used ethical rules of thumb are based on ethical principles as popularly conceived and are often useful, they rarely, by themselves, represent anything approaching a comprehensive examination of the confronting decision and therefore can leave the individuals and organization(s) involved vulnerable to making a challengeable choice. For this reason, experts advise that more comprehensive techniques of evaluation should be employed whenever a proposed decision is questionable or likely to have significant consequences. Analysis of specific sniff tests and the related heuristics reveals that they usually focus on a fraction of the comprehensive set of criteria that more complete forms of analysis examine.

Traditionally, an accepted business school case approach to the assessment of a corporate decision and the resulting action has been to evaluate the end results or consequences of the action. To most businesspeople, this evaluation has traditionally been based on the decision’s impact on the interests of the company’s owners or shareholders.

Usually these impacts have been measured in terms of the profit or loss involved, because net profit has been the measure of well-being that shareholders have wanted to maximize. This traditional view of corporate accountability has been modified over the last two decades in two ways. First, the assumption that all shareholders want to maximize only short-term profit appears to represent too narrow a focus. Second, the rights and claims of many non-shareholder groups, such as employees, consumers/clients, suppliers, lenders, environmentalists, host communities, and governments that have a stake or interest in the outcome of the decision, or in the company itself, are being accorded an increased status in corporate decision making.

Modern corporations are increasingly declaring that they are holding themselves self -accountable to shareholders and to non-shareholder groups alike, both of which form the set of stakeholders to which the company pledges to respond. It has become evident (look at the Enron example) that a company cannot reach its full potential, and may even perish, if it loses the support of even one of a select set of its stakeholders known as primary stakeholders.

The assumption of a monolithic shareholder group interested only in short-term profit is undergoing modification primarily because modem corporations are finding their shareholders are to an increasing degree made up of persons and institutional investors who are interested in longer-term time horizons and in how ethically individual businesses are conducted. The latter, who are referred to as ethical investors, apply two screens to investments: Do the investee companies make a profit in excess of appropriate hurdle rates, and do they strive to earn that profit in a demonstrably ethical manner?

Because of the size of the shareholdings of mutual and pension funds, and of other types of institutional investors involved, corporate directors and executives have found that the wishes of ethical investors can be ignored only at their peril. Ethical investors have developed informal and formal networks through which they inform themselves about corporate activity, decide how to vote proxies, and how to approach boards of directors to get them to pay attention to their concerns in such areas as environmental protection, excessive executive compensation, and human rights activities in specific countries and regions. Ethical investors as well as other stakeholder groups, tend to be increasingly unwilling to squeeze the last ounce of profit out of the current year if it means damaging the environment or the privacy rights of other stakeholders. They believe in managing the corporation on a broader basis than short-term profit only. Usually the maximization of profit in a longer than one-year time frame requires harmonious relationships with most stakeholder groups based on the recognition of the interests of those groups.

A negative public relations experience can be a significant and embarrassing price to pay for a decision making process that fails to take the. wishes of stakeholder groups into account. Whether or not special interest groups of private citizens are also shareholders, their capacity to make corporations accountable through social media is evident and growing. The farsighted executive and director will want these concerns taken into account before offended stakeholders have to remind them.

Taking the concerns or interests of stakeholders into account when making decisions, by considering the potential impact of decisions on each stakeholder, is therefore a wise practice if executives want to maintain stakeholder support. However, the multiplicity of stakeholders and stakeholder groups makes this a complex task. To simplify the process, it is desirable to identify and consider a set of commonly held or fundamental stakeholder interests to help focus analyses and decision making on ethical dimensions; stakeholder interests such as the following:

1.Their interest(s) should be better off as a result of the decision.
2. The decision should result in a fair distribution of benefits and burdens.
3. The decision should not offend any of the rights of any stakeholder, including the decision maker, and ..
4. The resulting behavior should demonstrate duties owed as virtuously as expected.

To some extent, these fundamental interests have to be tempered by the realities facing decision makers. For example, although a proposed decision should maximize the betterment of all stakeholders, trade-offs often have to be made between stakeholders’ interests. Consequently, the incurrence of pollution control costs may be counter to the interests of short-term profits that are of interest to some current shareholders and managers. Similarly, there are times when all stakeholders will find a decision acceptable even though one or more of them, or the groups they represent, may be worse off as a result.

In recognition of the requirement for trade-offs and for the understanding that a decision can advance the well-being of all stakeholders as a group, even if some individuals are personally worse off, this fundamental interest should be modified to focus on the well-being of stakeholders rather than only on their betterment. This modification represents a shift from utilitarianism to consequentialism. Once the focus on betterment is relaxed to shift to well-being, the need to analyze the impact of a decision in terms of all four fundamental interests becomes apparent. It is possible, for example, to find that a proposed decision may produce an overall benefit, but the distribution of the burden of producing that decision may be so debilitating to the interests of one or more stakeholder groups that it may be considered grossly unfair. Alternatively, a decision may result in an overall net benefit and be fair, but may offend the rights of a stakeholder and therefore be considered not right. For example, deciding not to recall a marginally flawed product may be cost effective, but would not be considered to be right if users could be seriously injured. Similarly, a decision that does not demonstrate the character, integrity, or courage expected will be considered ethically suspect by stakeholders.

A professional CFE can use an assessment of our client organization’s stakeholder ethical concerns in making pro-active recommendations about fraud detection and prevention strategies and in conducting investigations and should be ready to prepare or assist in such assessments for employers or clients just as they currently do in other fraud deterrence related business processes.

Although many hard-numbers-oriented investigators will be wary of becoming involved with the soft risk assessment of management’s tone-at-the-top ethically shaped decisions, they should bear in mind that the world is changing to put a much higher value on the quality and impact of management’s whole governance structure, the posture of which cannot failure to negatively or positively affect the design of the client’s fraud control and prevention programs.

Ambiguous Transactions

As any experienced fraud examiner will be happy to tell you, unambiguously distinguishing individual instances of fraud, waste and abuse, one from the other, can be challenging; that’s because transactions demonstrating characteristics of one of these issues so often share characteristics of the other(s). A spate of recent articles in the trade press confirm the public impression not only that health care costs are constantly rising but that poorly controlled health care provider reimbursement systems represent significant targets of waste and abuse, both within companies themselves and from external bad actors.

While some organizations review their health benefits programs and health administrator organizations annually, others appear to be doing relatively little in this area. Consequently, CFEs are increasingly being asked as audit team members to participate in fraud risk assessments of hearth benefits administration (HBA) programs for corporations, government entities, and nonprofit organizations. As a consequence, ACFE members are increasingly identifying practices that result in recoverable losses as well as losses that were never recovered because some among our client organizations have never effectively audited their health benefit plans.

A good place to start with this type of fraud risk assessment is for the CFE to evaluate the oversight of HBA reporting activities that could identify unidentified losses for the client organization.

Many organizations contract with third-party administrators (TPAs) to oversee their employee insurance claims process, health care provider network, care utilization review, and employee health plan membership functions. In the arena of claims processing, in today’s environment of rising costs, TPAs can make significant claim payment errors that result in financial losses to the CFE’s client organization if such errors are not promptly identified, recovered, and credited back to the plan. Claim overpayments are common in the industry; and most TPAs themselves have audit processes in place to minimize the losses to their clients. Many control assurance professionals incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can block a true understanding of the nature of the exposures and lessen the client’s sense of the necessity that systematic fraud and waste detection audits of health care claims transactions are performed, both externally and internally.

The trade press recently reported that an administrator for a U.S. federal government health benefit’s health plan changed its method of administering coordination of benefits (COB) from “pursue and pay” to “pay and pursue.” Under “pursue and pay,” the administrator determines who the primary insurance payer is before making payment. Under “pay and pursue,” the administrator pays the insurance claim and pursues a refund only if it itself is determined to be the secondary payer. In this case, the clients were billed for the payment of full benefits, even though they should have been the secondary payers. The financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, one of the client plans received a check for $2.3 million for its share of the refunds that were not returned to it. Is this case of apparent deception an example of fraud? Of waste? Or of abuse?

If COB savings had been routinely monitored by each of the plans, along with each client’s other cost containment activities, they would have noticed that the COB savings had fallen off and were next to nothing under “pay and pursue.” When looking at COB, CFEs and client internal auditors should review the provisions of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and the requirements for the reporting of savings to the client organization by the administrator. In conducting their risk assessments, client management and CFEs also should consider the controls over the organization’s oversight of monitoring COB savings and over the other cost containment activities performed by the administrator.

The COB case considered above was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request refunds from healthcare providers (hospitals, physicians, etc.), or use the provider offset method, which deducts the overpayment from the provider’s next payment. The ACFE has reported one case in which a provider voluntarily returned an overpayment. The administrator’s policy was to return the refund check to the submitting provider with a form to complete including instructions to send the form and the check back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client found that, because of a lack of training, personnel of its administrator had deposited the returned checks from providers into an administrative holding account. Subsequent to the investigation and administrative staff training, the client’s refund activity increased from almost nothing to more than $1 million a year. Including the monitoring and analyzing of refund activity as a component of the fraud prevention program will unfailingly provide insight into how well claim overpayments are being controlled.

When assessing for fraud risk regarding refund activity for health insurance overpayments, CFEs should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should be required to include an analysis of refund activity, the reasons for the refund(s), breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.

Sometimes it cannot be determined whether an organization’s losses are intentional or unintentional. For example, in one review, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator. The organization’s finance division requested a review which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization.

Monitoring and approving the funding requests against some measure of expected costs can identify when costs should be investigated. When reviewing funding requests, assurance professionals should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for follow-up investigation, bank account setup and account access, and the internal funding reconciliation process.

While losses may occur because of the administrator’s practices, losses (waste) also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed health care plans. When organizations use PPO networks that are independent of the administrator’s contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing and payment.

In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator’s network claims with the negotiated rates into the claims system. However, because the client’s external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO’s quarterly billings for its share of the savings to a discount savings as reported by the administrator.

While examining risks regarding discounts, CFE’s auditors should review the administrator’s or independent PPO network’s contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should be instructed to review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.

There are frequent reports on fraud, abuse, and errors in government health programs issued by the U.S. Department of Health and Human Services’ Office of the Inspector General and by the U.S. Government Accountability Office; all these reports can be of use to CFEs in the conduct of our investigations. Because many of our client organization’s health plans mirror government programs, the fraud risk exposure in organizations is almost everywhere the same. Organizations have incurred tremendous losses by not systematically reviewing benefits administration and through lack of understanding of the dynamics of health plan oversight within their organizations. Developing and promoting a team response within an organization to foster understanding of the exposures in the industry is a practical role for all CFEs. This posture puts fraud examiners (as members of the fraud/abuse prevention and response team) in a position to provide management with assurance that the reporting on the millions spent on employees’ health benefits is accurate and reasonable and that associated costs are justified.

The Multi-Purpose Final Report

ACFE training has long told us that a prudently crafted final examination report can have a variety of important uses. As we know, when the fraud investigation has been completed, the investigator writes a formal report. The report itself plus expert opinions and testimony are then used as needed to support the resolution of issues that can relate to a whole host of matters potentially concerning taxes, employment, regulatory reporting, litigation (civil and criminal), and insurance claims.

Because the report can be used for such varied purposes, it should always be constructed under the assumption that it will be challenged in court. This requires that the report meet very high standards; any errors or misstatements in it may be used to undermine the credibility of both the report and of the investigator who wrote it.

Frauds typically result in business losses. For income tax purposes, such losses may be classified as either deductions or offsets to reportable revenues depending on the type of loss and the taxing authority. In cases of misappropriation, almost any type of asset can be fraudulently converted, and in some cases, a valuation expert might be needed to determine the dollar amount of the loss.

In cases of occupational fraud, the financial records can be so damaged from the fraud scheme that an exact determination of the loss is impossible. In such cases, the report may attempt to estimate the loss using any reasonable means available because taxing authorities often permit estimation of losses in cases of destroyed records.

Some occupational fraud schemes result in so much damage to the financial records that the entity will not have enough information to file tax returns. This can happen, for example, if the revenue records are either destroyed or rendered unreliable as a result of fraudulent transactions and journal entries. In such cases, it might be necessary to conduct a major reconstruction of the accounting records before losses can be determined, reliable financial statements can be generated, and tax returns can be filed. In fact, in some cases, the fraud investigator’s report might need to focus on the loss due to destruction of the financial records and leave open the issue of misappropriation pending reconstruction of the financial records. Of course, depending on the scope of the investigation and the available information, the investigator might both reconstruct the financial records and report on any misappropriation losses.

Another tax-related issue involves the embezzlement of funds set aside to pay payroll taxes. The U.S. federal tax system sometimes refers to such funds as trust fund taxes because under tax law, these funds belong to the Internal Revenue Service (IRS) from the moment they are collected. The business and the owners merely serve as trustees in collecting the taxes on behalf of the IRS.

Employers who terminate an employee for committing fraud can eventually battle the employee in litigation. In some cases, the former employee may sue for wrongful termination of employment, defamation, or discrimination. In other cases, an employee who is to be fired might have collective bargaining rights that require an arbitration process with a right of appeal. Fired employees may also attempt to claim government unemployment compensation benefits.

As a general rule, employees who are fired for serious misconduct (e.g., fraud) are not entitled to benefits. However, employees may argue that their termination was not deserved and may request a hearing to argue their side of the story. If this occurs, a fraud investigation report could serve as important evidence.

Whether a fired employee receives unemployment benefits may be important in determining the amount the company is required to pay for unemployment insurance. As a result, an employer who routinely fires employees runs the risk of incurring considerable increases in the cost of unemployment insurance. To make things even worse, if a fired employee was the one in charge of making unemployment insurance contributions but did not make them on time, a penalty rate of 150 percent could be applied to the employer’s future contributions. The exact consequences depend on the particular state involved because rules for unemployment insurance for state and federal governments differ. As a result of the possible tax and legal consequences as well as of possibly embarrassing publicity, employers are frequently reluctant to fire dishonest employees. Instead, they do things to encourage dishonest employees to leave voluntarily after taking measures to prevent them from continuing the fraud. In some cases, employers actually give dishonest employees favorable recommendations for future jobs.

Sometimes, a fraud investigation report may trigger mandatory reporting of the fraud to a government agency. For example, §1233.3 (a) of Title 12 (Banks and Banking) of the U.S. Electronic Code of Federal Regulations states the following:

‘A regulated entity shall submit to the Director a timely written report upon discovery by the regulated entity that it has purchased or sold a fraudulent loan or financial instrument, or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.’

A fraud investigation report can sometimes be more helpful in ruling out fraud than in ruling it in. For example, a report might read, “A detailed examination of the financial records did not reveal any intentional irregularities or evidence of fraud or misappropriation.” On the other hand, when there is fraud, the report might read something like, “There was a series of irregular computerized journal entries made in the accounts receivables ledgers and corresponding shortages in the cash account. The employee in charge of the computerized journal entries left the company before this investigation began and was not available for an interview. The owner states that only she and the former employee had access to the journal in question.”

The wording in this report suggests that the former employee may have embezzled funds from collections on account by making irregular journal entries. But the report cannot guarantee that s/he did so, nor can it definitively conclude that a fraud occurred. As a general rule in advance of an occupational fraud investigation, interested parties should not assume that the investigation will result in a report that gives a definitive answer to whether a fraud occurred. A more reasonable outcome is a report that identifies missed or damaging records or missing assets.

Fraud reports can be very helpful in both criminal and civil litigation. However, they can be less than satisfying in trying to persuade authorities to prosecute a suspect. What happens too often is that police or prosecutors browse through a fraud investigation report looking for a clear statement that identifies the guilty person. But, of course, such statements don’t appear in independent fraud investigation reports written by CFEs.

In many cases, a fraud investigation report is enough to at least persuade authorities to look at a case, especially with the hope of getting a quick confession. But if the suspect denies everything or lawyers up, law enforcement quickly realizes that they will need to hire a forensic accountant (because it is unlikely that they have one of their own) and will be forced to try to understand what they consider to be arcane and obscure accounting concepts.

The saying in law enforcement circles (as with the news media) is “if it bleeds, it leads.” In a metropolitan area, police quickly send a dozen squad cars, a SWAT team, and a helicopter to pursue someone who robs a liquor store of $100 with a penknife. But the same police respond with glassy eyes if the owner of the same liquor store reports that his accountant has robbed the business of $100,000 using a computer to manipulate the accounting records.

Although it does happen, most victims do not sue their fraudsters, primarily because fraudsters are typically judgment proof, meaning they do not have sufficient assets to repay their victims. However, criminal courts can and do order restitution, which can provide a strong motive for the victim to prosecute the perpetrator. In some jurisdictions, courts order convicted fraudsters to make regular restitution payments directly to the court, which then distributes them to the victim.

Finally, many companies have insurance with coverage for losses related to fraud. This coverage can include losses such as those due to the costs of preparing a proof of loss, losses due to embezzlement, losses of valuable papers and records, and loss of income. Independent fraud investigation reports can be very helpful in supporting insurance claims. Furthermore, one nice thing about embezzlement coverage is that some polices are written so that it is necessary only to prove that a loss has occurred, not who the guilty party is. The usefulness of a fraud investigation report with respect to losses of valuable papers and records, and loss of income, depends on the scope of the investigation. In many cases, the scope does not include determining the amount of losses of income or damage to valuable papers and records.

Risk-Centric Fraud Prevention

A number of our certified Chapter members, currently practicing both independently and as corporate staff, report being asked to proactively assist in the establishment of first time internal fraud prevention programs by clients and employers. That this development is something new is borne out by recent articles in the trade press but, on a moment’s reflection, shouldn’t be surprising since CFEs are so uniquely qualified for the particular task.

At a time when an increasingly volatile stock environment, increased cases of cyber fraud, the pressure of globalization and a multitude of increased regulatory requirements are of major concern to all managements, risk assessment and fraud prevention really have to play an important role in ensuring that corporations are not exposed to unexpected and poorly controlled risks. Internal fraud prevention related activities need to be revisited with a focus not just on all these new business paradigms but also on stakeholders’ expectations, transparency, and accountability.

It just makes sense then that today’s environment also calls for greater collaboration and strong relationships between all types of assurance professionals with their clients at all levels to ensure an internal anti-fraud structure is in place (if one doesn’t presently exist) that facilitates a healthy, secure and transparent operating environment.

To facilitate the establishment of a risk-centric approach, today’s fraud prevention functions (new or presently existing) must continually revisit their methodologies, processes, and practices. CFEs can provide experienced insight and real-time value to their client organization by expanding their consulting efforts to facilitate a risk-centric approach, helping to establish the foundation for a more sophisticated and nimble tone at the top, and by focusing on increased collaboration and strategic engagement.

Fraud prevention efforts have been dominated for some time now by a control focused approach that is often reactive and regressive in actual practice in the face of today’s swiftly changing realities. Anti-fraud professionals today need to widen their proactive scope to address the growing governance threats and risk management needs of increasingly global organizations. This requires them to adopt a revised risk-centric approach that involves:

–Taking fraud prevention and business ethics from a compliance perspective to a cultural mind-set. Accurately assessing these risks requires more than just checking to see whether rules are being followed; practitioners must also try to ensure that the spirit of these rules is incorporated into activities at every level.

–Determining key business and fraud risks rather than casting a wide net over numerous risks, many of which may be remote or obscure; the concept of critical business process identification drawn from disaster recovery and continuous operations planning is especially relevant here.

–Identifying emerging risk issues and trends, such as changes in the regulatory environment (which are often wholly reactive), and bringing them to the attention of key stakeholders.

–Estimating the significance of each fraud risk and assessing its probability of occurrence based on a deeper understanding of the present sense conveyed by constantly shifting data and as sometimes pinpointed by sophisticated statistical analysis.

–Identifying programs and controls designed to more sensitively detect and address risk and by concurrent testing of their effectiveness in real-time.

–Coordinating with the other critical risk and control related business processes, such as compliance, risk management, fiscal control, and legal, to ensure that fraud risks are identified, controlled and managed appropriately.

To provide real strategic value to the organization, new and existing fraud prevention practitioners need to help develop risk-based action plans that respond to their present state of risk assessment awareness and which focus on stakeholder expectations. Internal anti-fraud plans should incorporate risk identification and prioritization, as well as analysis and quantification of risk factors particularly in the new business ventures and strategies so characteristic of today’s volatile environment. Such planning should also reflect an understanding of shared risks among various projects and initiatives, and feature continuous monitoring of business activities and key performance indicators.

In the present cyber-threat laden environment the internal fraud prevention business process has to move from being just another routine and disconnected function to being a fulcrum of organizational governance and risk, working in concert with management, the board, and external auditors. Top management can establish the fraud prevention function’s role by:

–Allowing senior fraud examiners and investigators exposure to security information presently associated with key management and governance committees;
–Championing the importance of ethical conduct, fraud identification and fraud prevention consistently.
–Taking immediate and proactive action on fraud examination and investigative findings regardless of whatever level of the organization suspected perpetrators are identified.
–Holding senior executives accountable for identified instances of fraud, waste and abuse in business processes over which they exercise management oversight.
–Supporting the management of the fraud prevention function when its findings and recommendations to improve security prove politically unpopular.
–Defining fraud prevention’s role and management’s expectations.
–Providing appropriate funding, talent and authority to the function.

The ACFE has long indicated that a strong tone at the top from senior management about the importance of a internal fraud prevention function goes a long way toward promoting the engagement of managers throughout the client organization.

For staff assigned to an internal fraud prevention plan to proactively review important business strategies successfully for fraud vulnerability, examiners need to collaborate with management. In addition to providing assurance on compliance initiatives, examiners should develop a forward-looking approach to their assessment planning in which they cooperate and coordinate with related risk and control functions, focus on critical business risks and exposures, and determine the relevance and effectiveness of gathered executive responses to help an organization manage fraud risk proactively. To be forward-looking, fraud prevention professionals need to be fully integrated into the strategic planning process so that they can clearly identify which fraud related risks the organization will be undertaking. They also must be involved with the business in evaluating problems that come to light to determine whether they are the result of control weaknesses that could also emerge in other parts of the organization.

To identify and analyze rapidly emerging risks, direct resources toward areas of greatest risk, and conduct targeted, real-time investigations in response to specific, predicated risks, examiners must leverage technology, learn new skills, and work with management to understand and clarify their evolving expanded role.

To assess the new emerging risks effectively, fraud prevention professionals must develop a deeper understanding of the client business and of the processes that make competitors in the client’s industry successful. An effective fraud prevention activity that can deal with contemporary business risks and meet the ever-increasing demands of management and stakeholders requires a solid staffing strategy. As CFEs we must help spread the word that our client organizations need to invest in skilled resources, methods, training, career paths, and technical infrastructure to deal with increasing cyber-related business risks related to fraud, their internal controls, and government imposed regulations. When staffing a fraud prevention function, top management should:

–Establish a program for selecting and developing the fraud prevention team.
–Identify the skills and expertise required for an effective anti-fraud business process; the ACFE’s guidance and training programs are an invaluable resource to any organization contemplating a new fraud prevention function or looking to strengthen an existing one.
–Assess existing resources to identify staffing gaps.
–Identify and create key performance indicators for deploying fraud prevention and investigatory resources.
–Co-source or outsource internal fraud prevention activities, based on an assessment of current resources, budget, and strategic and tactical requirements.

Acquiring new skills through ACFE training can enable internally focused examiners to direct resources to those techniques that are the most effective in identifying risks to the organization. Especially important is the need to develop deep expertise in specialties such as credit, IT, finance, compliance, and cyber. In addition, investigators and examiners will have to be trained to approach their work strategically, beginning with a detailed understanding of where its owners and stakeholders view where the client business has been and where it is going.

In summary, progressive internal fraud prevention and investigation functions need to partner with their client organization’s risk management function to gain comprehensive visibility into enterprise-wide risks and to support performance of automation supported follow-on risk assessments that can help prevent fraud vulnerability issues from turning into fraud events. Such insight into the organization’s risk profile allows internal investigative professionals to deliver more strategic value by focusing their proactive fraud risk evaluation efforts on areas that represent the greatest risk to the organization as well as proactively anticipating where emerging fraud risk issues are most likely to cause problems. In addition, leveraging the activities performed by the client’s risk management function can lower fraud prevention’s overall cost of operation.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

The Fire Alarm & the Bottom Line

fire-alarmI was having lunch with a couple of colleagues yesterday and the topic of ‘pulling the fire alarm’ came up.  Specifically, ‘pulling the fire alarm’ relates to a corporate employee alerting management about the suspected fraudulent activity of a fellow employee.  Everyone at the table agreed that the main reason management is often deprived of this vital intelligence is that your typical employee has a very hard time getting his or her head around the fact that their personally well-known co-worker can even be deceptive or dishonest, let alone actually steal something.

CFE’s are trained to know that good people can be, and often are, deceptive.  When people think of deception, they often envision being tricked or having the wool pulled over their eyes. Although fraudulent acts are frequently acts of deception, the fallacy lies in believing that individuals within “our organization” would never commit a deceptive act. After all, our conflicted employee tells herself, our organization goes to great lengths to hire top-notch talent who will be loyal and faithful. Our potential whistle-blower is aware that company employees are promoted through the ranks into leadership roles only because they’ve displayed some unique attributes related to their individual knowledge or talent.

ACFE interviews with fraudsters tell us that the psychological impact of events on professionals in today’s world is difficult to predict. Individuals who’re typically reasonable and display high integrity can frequently be placed in situations where both personal and professional stress can impact their decisions and actions in ways they may have never imagined. This is where the almost universal tendency to bestow the dangerous gift of the benefit of the doubt must be countered.  No question that organizations must encourage that general openness and transparency in everyday actions be practiced by their employees at all levels. But employees must also be made to understand that if someone questions an action or event, established outlets are available to report those concerns without the fear of repercussions. A specific example that unintentionally supports the benefit of the doubt syndrome is an instance where an employee repeatedly performs an inappropriate action among a group of co-workers within the corporate setting. Someone who witnesses the act may not feel comfortable speaking up at the time of the occurrence, especially if the person performing the action is his or her superior in the corporate hierarchy. However, that doesn’t mean it’s okay to walk away from the situation and say nothing. The outlets to report concerns may be as simple as speaking to a supervisor, contacting a human resources representative, or even calling the employee hotline. Employees must be encouraged to speak up whenever they see activity occurring that they believe is inappropriate. If they don’t, they’re perpetuating a culture of denial and silent acceptance.

Such a culture of silent acceptance can grow almost imperceptibly until the organization can irrationally come to unconsciously believe it’s immune to fraud.   My luncheon companions agreed that this syndrome is entirely natural given that all organizations want to believe they’re immune to fraud; then the table talk turned to the following interesting and related points…

It’s unfortunate that it takes some shattering event like a major embezzlement to make some organizations face the fact that fraud doesn’t discriminate; it can happen anywhere, any time. Just as individuals may rationalize why it’s okay to commit fraud, organizations sometimes attempt to rationalize the “whys” that support their belief that fraud won’t happen to them. Every CFE has seen instances of this defensive stance even during on-going fraud examinations! There can be multiple beliefs within corporate cultures that contribute to this act of rationalization. What one person views as a very strict policy, another person may see as a simple guideline open to interpretation. It’s always important to maintain several levels of defense against fraud, including multiple-preventive and detective controls. Because it is not possible to provide absolute assurance against fraud, it becomes even more critical to ensure that controls in place are sufficient to place periodic roadblocks, warning signs, or the proverbial fire alarm in appropriate places. It also is important that those controls and warning signs are uniformly applied to all employees within the organizational ranks.

Then there’s the old canard about materiality. Almost the first question you get about a suspected fraud, especially in my experience from financial personnel, is “Is it material?” meaning is it material to the financial statements. The implication is that the discovered fraud isn’t that important because it will have little or no effect on the bottom line. The ACFE tells us that fraud is dynamic and often can occur long before there is any significant impact to the financial statements. For example, frauds resulting in identity and information theft may eventually prove to have financial ramifications. However, the initial ramifications are breach of identity and information confidentiality. The question about materiality is one of the signs that management may not fully understand the variance between control gaps, which may create opportunity for inappropriate actions or actual control failures. When it comes to fraud prevention, the question shouldn’t be, “How much was taken or how much did we lose?” but instead, “What fraud opportunity has been created from the control gap identified?” Thus, no fraud is ever immaterial because even a small amount of identified stolen money may only be the tip of the iceberg. Where one fraud has been identified, there may be several related others operative but not yet detected.

In today’s technological world sophisticated information systems include workflow, authority delegation, acceptance reporting, system alerts, and intrusion technology. These processes rely on programming controls and periodic monitoring techniques to ensure access is in line with company objectives. Although these system enhancements have improved efficiency in many ways, there are often loopholes that provide a knowledgeable, often high-level, individual with the opportunity to rationalize or take advantage of poorly designed procedures to support a wide range of fraudulent activity. So, “authorized” can represent a danger if managements place too much reliance on system-established fraud prevention controls and then don’t build in mechanisms to appropriately monitor and manage those controls.  The simplest example of unauthorized transactions is illustrated in how delegation of authority is established and maintained within systems. If authority delegations are established with no end-date, or extended to individuals at a lower responsibility level than the true need, then expenditures may not be approved in line with corporate guidelines. This may seem like a minor control gap, but the potential for fraud, waste and abuse can be significant. And, if this trend goes undetected for an extended period, the risk can become even greater.

Another example may be the use of administrative user IDs for management, granting administrative access to systems and financial accounts. There is a very distinct and established purpose for granting this type of access; however, if the granting of the IDs is not well-controlled or monitored, there can be a significant internal control exposure that creates the opportunity for a potentially high level of fraudulent behavior to occur. This doesn’t mean that just because a company has excessive administrative IDs, it can expect that fraud is occurring within its corporate environs. However, those of us around the table agreed that this is why senior management and the board need to understand the reality of an administrative fraud control gap. In case after case, overuse and poor monitoring of these types of IDs by senior corporate officials (like CFO’s and CEO’s) have created the threat or opportunity for some activity that may not be acceptable to the organization.

Fraudsters are continually evolving, just like the rest of society. As CFE’s, we’re painfully aware that unauthorized transactions don’t always occur just because of external hacking, although the very real hacking threat seems the current obsession. Assurance professionals mustn’t overlook all of the internal fraud possibilities and probabilities that are present due to sophisticated business systems. Fraud in the digital age continues to expand and mature. We have to assist our client organizations to take an on-going, proactive approach to the examination and identification of ways that a myriad type of unauthorized transactions can slip through their internal firewalls and control procedures.

Communication is Who We Are

BusinessMeet2One of the most frequently requested topics for ACFE lead instruction concerns the art of fraud interviewing, one of the most complex and crucial disciplines of the many comprising the fraud examination process.  And at the heart of the interviewing process lies communication.  As we all know, communication is the process of effectively sending and receiving information, thoughts, and feelings. First and foremost, an effective interviewer is an effective communicator and being an effective communicator depends on building rapport. According to the ACFE, if you don’t establish rapport with a subject at the outset of the fraud interview, the possibilities of your spotting anything are very low. Rapport is the establishment of a connection between two individuals that is based on some level of trust and a belief in the existence of a relationship that is mutually beneficial to both parties.

The interviewer who thinks s/he will find a cooperative subject without making a connection with that individual is in for a disappointment. Rapport is determined by our attitude toward the subject. Just as we as interviewers use our powers of perception to “read” the subject, the subject reads us as well. If he senses condemnation, superiority, hostility, or deceit, you can expect little but superficial cooperation from any interaction.  Besides, above all else, as the experts tell us, we are professionals. As professionals, personal judgments have no place in an interview setting. Our job is to gather information empirically, objectively, and without prejudice towards our subjects.  Why do we identify with and speak more freely to some people than to others? We’re naturally drawn to those with whom we share similar characteristics and identities. Techniques and tools are important, but only to the extent that they complement our attitude toward the interview process. So, effective communication is, in this important sense,  not what we do – it’s who we are.

And along with rapport, the analysis of the quality of the interaction between both interview participants is critical to the communication process.  An interview is a structured session, ideally between one interviewer and one subject, during which the interviewer seeks to obtain information from a subject about a particular matter.  And just as we signal each other with voice pitch and body language patterns when we’re sad, angry, delighted, or bored, we also display distinct patterns when trying to deceive each other. Fortunately for those of us who interview others as part of our profession, if we learn to recognize these patterns, our jobs are made much simpler. Of course there is no single behavior pattern one can point to and say “Aha! This person is being deceptive!” What the professional can point to is change in behavior. Should a subject begin showing signs of stress as our questions angle in a certain direction, for example, we know we have hit an area of sensitivity that probably requires further exploration.  If you interview people regularly, you probably already know that it is more likely for a subject to omit part of the story than actually lie to you. Omission is a much more innocuous form of deceit and causes less anxiety than fabricating a falsehood. So even more importantly than recognizing behavior associated with lying, the interviewer must fine tune her skills to also spot concealment patterns.

ACFE experts tell us that each party to a fraud interview may assume that they understand what the other person is conveying. However, the way we communicate and gather information is based in part on which of our senses is dominant. The three dominant senses, sight, hearing, and touch influence our perceptions and expressions more than most people realize. A sight dominant subject may “see” what you are saying and tell you he wants to “clear” things up. An auditory dominant person may “hear” what your point is and respond that it “sounds” good to him. A touch dominant person may have a “grasp” of what you are trying to convey, but “feel uncomfortable” about discussing it further.

By analyzing a subject’s use of words, an interviewer can identify his dominant sense and choose her words to match. This helps strengthen the rapport between interviewer and subject, increasing the chances of a good flow of information. Essential, of course, to analyzing and identifying a subject’s dominant senses are good listening skills. Effective communication requires empathetic listening by the interviewer.  Empathetic listening and analysis of the subject’s verbal and nonverbal communication allows us to both hear and see what the other person is attempting to communicate. It is the information that’s not provided and that’s concealed, that is most critical to our professional efforts.

In developing your listening abilities, and by practicing them with others with whom you communicate every day, the vast array and inexhaustible variations of the human vocabulary are bound to strike you. The most effective way to communicate is with clear, concise sentences that create no questions. However, the words we choose to use, and the way that we say them, are limited only by what is important to us. A subject, reluctant or cooperative, will speak volumes with what they say, and even more significantly, what they don’t say. Analysis of the latter often reveals more than the information the subject actually relates. For instance, the omission of personal pronouns could mean unwillingness on the part of the subject to identify himself with the action.

One final note of caution.  If you ask the experts about the biggest impediment to an effective interview, they will probably give you a surprising answer. Most experienced interviewers will tell you that often the greatest impediment to a successful interview is the interviewer herself. Most interviewers use all of their energies observing and evaluating the subject’s responses without realizing how their own actions and attitudes can contaminate an interview. In fact, it’s virtually impossible to conduct an interview without contaminating it to some extent. Every word used, the phrasing of a question, tone, body language, attire, the setting – all send signals to the subject.  The effective interviewer, however, has learned to contaminate as little as possible. By  retaining an objective demeanor, by asking questions which reveal little about what s/he already knows, by choosing a private setting and interviewing one subject at a time, s/he keeps the integrity of the interview intact to the best of her ability.

Go with the Flow!

WaterfallAs a fraud examiner and internal auditor, I’ve always been a big fan of the cash flow statement and, if you’re a fraud examiner,  I think you should be too.  For the non-accountants among you, the cash flow statement reveals what happened to the client’s cash during the reporting period. It’s very much like your bank account statement: You have a beginning balance of cash at the start of the month, you deposit your paycheck, you write some checks for your mortgage and groceries, and then you end the month with a new cash balance. This is what a cash flow statement is: simply a beginning balance of cash, plus or minus some cash transactions, to arrive at an ending cash balance.

Another way to view the cash flow statement is as an income statement that is adjusted for non-cash transactions and transactions that have not yet impacted cash. Non-cash transactions are transactions that affect the income statement but will never affect cash. Depreciation is a non-cash transaction that is added back to profits on the cash flow statement since cash is never paid out or collected when an asset is depreciated. The cash flow statement also clarifies transactions that immediately impact cash. A company can make a sale but not collect on it, or incur an expense and not immediately pay for it in cash. These are called accounts receivable and accounts payable, respectively. Revenues that are earned but not received and expenses that are incurred but not paid would show up on the income statement, but not on the cash flow statement.  So the formula for the statement is simply …

Beginning Cash Balance
+I- Net Cash Flows from Operating Activities
+I- Net Cash Flows from Investing Activities
+I- Net Cash Flows from Financing Activities
= Ending Cash Balance

There are two methods of reporting cash flows from operations; in the direct method, the sources of operating cash flows are listed along with the uses of operating cash flows, with the difference between them being the net cash flow from operating activities.  In contrast, the indirect method reconciles net income per the income statement with net cash flows from operating activities; that is, accrual-basis net income is adjusted for non-cash revenues and expenses to arrive at net cash flows from operations.  The net cash flows from operating activities is the same amount regardless of which method is used. The indirect method is usually easier to compute and provides a comparison of the company’s operating results under the accrual and cash methods of accounting. As a result, most companies choose to use the indirect method, but either method is acceptable.

So what does all  this provide as a tool for the fraud examiner?  Simply, the cash flow statement provides any CFE with lots of neat information for further analysis in a very compact form.  First of all, the statement tells you what the company’s cash receipts and cash payments were for the period. Remember that it’s unlike the income statement in that the income statement takes into account all revenue and expense transactions, whether or not they affected cash. The cash flow statement only considers transactions that involve cash.

The cash flow statement divides the company’s cash transactions into three categories:

  • Operating activities, which include all cash received and paid out in connection with the company’s normal business operations, such as cash received from customers and funds paid to vendors. This category essentially encompasses any cash transactions that affect items on the income statement.
  • Investing activities, which are cash flows related to the sale or purchase of non-current assets, such as fixed assets, intangible assets, and investments. This category generally covers those cash transactions that affect the asset side of the balance sheet.
  • Financing activities, which are all cash inflows and outflows pertaining to the company’s debt and equity financing. Inflows include the proceeds received from issuing stocks and bonds and from borrowing money from a bank. Outflows include debt repayments and cash dividends paid to shareholders. In general, this category includes the cash transactions that affect the liabilities and owners’ equity side of the balance sheet.

In a perfect world, a company should only need loans when it has a timing problem between collecting and spending money or when it’s expanding. However, if a company expends more money than it will ever make, it will eventually go out of business. This is where the cash flow statement is so useful to the fraud examiner. You will want to get an idea of the cash flow necessary to run the business so that you will be able to tell whether the company is generating enough cash from operations to continue to do business. Chronic lack of cash is a red flag directly related to the motivation for many frauds. The examiner can also evaluate the relationship between total cash generated from financing and investing activities and the amount generated by operating activities.

Some things you will want to note from the cash flow statement in connection with any suspected financial fraud:

  • Does the company have heavy demands on its operating cash each period?
  • Do the inflows equal or exceed the outflows?
  • Is the cash balance increasing or decreasing over time?
  • Is the company making smart decisions about sources and uses of cash given its apparent financial condition?

This is information pertinent to the investigation of a wide range of fraud scenarios, the successful investigation of which involves different data than that commonly available in the income statement.  The income statement alone does not reveal a complete picture of the company’s financial health, necessary for a full investigation of many types of fraud. Evaluating income and cash flows includes considering the timing of items, such as collections of accounts receivable. In the end, a company might have a fabulous looking income statement, but might not have any cash available for operations. This may occur because the revenues recorded on the income statement have not been collected. Remember, as part of doing business, companies usually allow customers to make purchases on credit; this means those companies will collect the cash subsequent to the actual recording of the revenues.  For example, a small high-tech manufacturer might have a healthy looking profit on its income statement, but not be able to pay its employees’ salaries. However, the entrepreneurial owners of the company expect all is well, since they think the net income on the income statement to equal the amount of cash in the company’s bank account. But, as is often the case, there’s a timing difference between when the company records a sale and when it actually receives the cash from its customers. As a result, the cash balance seldom, if ever, will match the income on the income statement.  Other transactions – such as accrued or prepaid expenses, depreciation, and inventory purchases – will also cause a disparity between an organization’s net income and its net cash flows.

The statement of cash flows represents a trove of invaluable information that can cast light on virtually every aspect of a client’s financial health and, thus inform any fraud investigation.  Use it to your advantage!