Category Archives: Risk Assessment

The Human Financial Statement

A finance professor of mine in graduate school at the University of Richmond was fond of saying, in relation to financial statement fraud, that as staff competence goes down, the risk of fraud goes up. What she meant by that was that the best operated, most flawless control ever put in place can be tested and tested and tested again and score perfectly every time. But its still no match for the employee who doesn’t know, or perhaps doesn’t even care, how to operate that control; or for the manager who doesn’t read the output correctly, or for the executive who hides part of a report and changes the numbers in the rest. That’s why CFEs and the members of any fraud risk assessment team (especially our client managers who actually own the process and its results), should always take a careful look at the human component of risk; the real-world actions, and lack thereof, taken by real-life employees in addressing the day-to-day duties of their jobs.

ACFE training emphasizes that client management must evaluate whether it has implemented anti-fraud controls that adequately address the risk that a material misstatement in the financial statements will not be prevented or detected timely and then focus on fixing or developing controls to fill any gaps. The guidance offers several specific suggestions for conducting top-down, risk-based anti-fraud focused evaluations, and many of them require the active participation of staff drawn from all over the assessed enterprise. The ACFE documentation also recommends that management consider whether a control is manual or automated, its complexity, the risk of management override, and the judgment required to operate it. Moreover, it suggests that management consider the competence of the personnel who perform the control or monitor its performance.

That’s because the real risk of financial statement misstatements lies not in a company’s processes or the controls around them, but in the people behind the processes and controls who make the organization’s control environment such a dynamic, challenging piece of the corporate puzzle. Reports and papers that analyze fraud and misstatement risk use words like “mistakes” and “improprieties.” Automated controls don’t do anything “improper.” Properly programmed record-keeping and data management processes don’t make “mistakes.” People make mistakes, and people commit improprieties. Of course, human error has always been and will always be part of the fraud examiner’s universe, and an SEC-encouraged, top-down, risk-based assessment of a company’s control environment, with a view toward targeting the control processes that pose the greatest misstatement risk, falls nicely within most CFE’s existing operational ambit. The elevated role for CFEs, whether on staff or in independent private practice, in optionally conducting fraud risk evaluations offers our profession yet another chance to show its value.

Focusing on the human element of misstatement fraud risk is one important way our client companies can make significant progress in identifying their true financial statement and other fraud exposures. It also represents an opportunity for management to identify the weak links that could ultimately result in a misstatement, as well as for CFEs to make management’s evaluation process a much simpler task. I can remember reading many articles in the trade press these last years in which commentators have opined that dramatic corporate meltdowns like Wells Fargo are still happening today, under today’s increased regulatory strictures, because the controls involved in those frauds weren’t the problem, the people were. That is certainly true. Hence, smart risk assessors are integrating the performance information they come across in their risk assessments on soft controls into management’s more quantitative, control-related evaluation data to paint a far more vivid picture of what the risks look like. Often the risks will wear actual human faces. The biggest single factor in calculating restatement risk as a result of a fraud relates to the complexity of the control(s) in question and the amount of human judgment involved. The more complex a control, the more likely it is to require complicated input data and to involve highly technical calculations that make it difficult to determine from system output alone whether something is wrong with the process itself. Having more human judgment in the mix gives rise to greater apparent risk.

A computer will do exactly what you tell it to over and over; a human may not, but that’s what makes humans special, special and risky. In the case of controls, especially fraud prevention related controls, our human uniqueness can manifest as simple afternoon sleepiness or family financial troubles that prove too distracting to put aside during the workday. So many things can result in a mistaken judgment, and simple mistakes in judgment can be extremely material to the final financial statements.

CFEs, of course, aren’t in the business of grading client employees or of even commenting to them about their performance but whether the fraud risk assessment in question is related to financial report integrity or to any other issue, CFEs in making such assessments at management’s request need to consider the experience, training, quality, and capabilities of the people performing the most critical controls.

You can have a well-designed control, but if the person in charge doesn’t know, or care, what to do, that control won’t operate. And whether such a lack of ability, or of concern, is at play is a judgment call that assessing CFEs shouldn’t be afraid to make. A negative characterization of an employee’s capability doesn’t mean that employee is a bad worker, of course. It may simply mean he or she is new to the job, or it may reveal training problems in that employee’s department. CFEs proactively involved in fraud risk assessment need to keep in mind that, in some instances, competence may be so low that it results in greater risk. Both the complexity of a control and the judgment required to operate it are important. The ability to interweave notions of good and bad judgment into the fabric of a company’s overall fraud risk comes from CFEs experience doing exactly that on fraud examinations. A critical employee’s intangibles like conscientiousness, commitment, ethics and morals, and honesty, all come into play and either contribute to a stronger fraud control environment or cause it to deteriorate. CFEs need to be able, while acting as professional risk assessors, to challenge to management the quality, integrity, and motivation of employees at all levels of the organization.

Many companies conduct fraud-specific tests as a component of the fraud prevention program, and many of the most common forms of fraud can be detected by basic controls already in place. Indeed, fraud is a common concern throughout all routine audits, as opposed to the conduct of separate fraud-only audits. It can be argued that every internal control is a fraud deterrent control. But fraud still exists.

What CFEs have to offer to the risk assessment of financial statement and other frauds is their overall proficiency in fraud detection and the reality that they are well-versed in, and cognizant of, the risk of fraud in every given business process of the company; they are, therefore, well positioned to apply their best professional judgment to the assessment of the degree of risk of financial statement misstatement that fraud represents in any given client enterprise.

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

On Business Process Flow

During the last few years attention has increasingly turned to consideration of client critical business processes functioning as a unified whole as a focus of both risk assessment and fraud prevention efforts.  As result of this attention has come the accompanying realization that superior design of individual business processes is not only critical to the success of the overall organization but to its fraud prevention effort as well. For example, take bid preparation, a process that is usually conducted under time pressure, and requires cross-organizational coordination involving the finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender, all outcomes that increase the risk of the emergence of irregularities and perhaps even to the enhanced facilitation of actual fraud. 

An additional realization has been that business processes require process based management.  As CFE’s, our client organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, like the bid process, are cross-organizational, involving several functions within the organization.  A raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, the process may be impaired due to a lack of coordination among the units. To prevent the obvious fraud vulnerabilities related to this problem, the ACFE emphasizes the need to manage the business process fraud prevention effort end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing (and risk assessing) the control, monitoring and measurement of all the processes at work. 

In the modern business world, change is constantly occurring; admirable as this fact is from an innovation perspective, anything that creates change, especially rapid change, can constitute opportunity for the ethically challenged.  Despite this and associated risks, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Automated processes based on information systems are usually more difficult and expensive to change than manual processes (of which there are fewer left every day). Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications and often, less management oversight and control and more vulnerability to fraud. 

Any business that is successful over the long term has most likely performed some kind of risk assessment, and had some success at managing business risks. Managers of successful entities have thought out what risks could have a significant negative impact on their ability to successfully execute the business plan, or even just cause a substantial loss of business, and have attempted to provided mitigating activities to address those risks. With the pervasiveness of fraud and, more important, their increasing dependence on cross organizational business processes, entities have had to consider a fraud risk assessment as a sizeable portion of any fraud prevention effort. Yet, many entities struggle with the issue or, if convinced of the need to conduct an assessment across business process flows, with where to begin in performing an effective one. 

The primary focus of a cross-organizational business process fraud risk assessment is to identify risks that the totality of such business processes present to the business, i.e., adverse effects related to these processes, whether taken as a whole or individually, are not in the best interests of the entity. These risks are usually associated with business elements such as the ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). Weak anti-fraud controls can introduce risks in any of these areas, and more. For instance, robust anti-fraud controls can enhance the entity’s ability to sell its products over the internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts).   The bottom line is that there is a need to have an effective identification and assessment of business process risks where the risks are at a degree that is more than trivial. 

Typically, fraud risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each cross-organizational process risk, someone is asking the questions: what is the magnitude of the identified fraud risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)? One thing the CFE can do is to obtain a copy of the client’s current risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over fraud risk being properly mitigated is lowered. Another good start is to obtain the client’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the CFE to understand where cross business process fraud risks could occur.   

Another thing the CFE should do is gain a good understanding of the loss prevention function (if there is one), including its managerial and operational aspects. Then, depending on the entity, there could be an extensive list of technologies or systems that will need to be evaluated for risk in operations. From the management side, it includes the internal audit and loss prevention staffs. A measure of the competency of staff devoted to the fraud prevention effort is a key factor. Obviously, the more competent the staff, the lower the risks associated with all the elements of operations they affect, and vice versa. 

Since traditional systems are transaction based and handle each transaction and business document separately, it’s difficult to audit processes end to end.  Therefore, in such systems proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred is maintained.  A focus on entire business processes, by contrast, is process flow based and therefore audit trails are a built-in feature.  In automated systems featuring this type of inter-process flow, all incidents and steps of multi-business processes are documented and linked to each other in the order they occurred.  

From the access control aspect of operations, an assessment should be made as to risk of unauthorized activities. For example, do access controls sufficiently limit access to systems and supported business process flows by effective authorization and authentication controls? Does the information management test new systems and applications thoroughly before deployment? Is there a sufficient staging area so that business process flow support applications can be tested not only on a stand-alone basis but also when interfaced with other applications and whole systems? If applications are not tested, this would lead the CFE to have less assurance about mitigating fraud risks facilitated by bugs and system failures.

The focus of fraud mitigation has moved, with increasing automation, away from the simple single fraud scenario to the entire flow of the interlocking business processes constituting the modern organization and their analytic footprint. 

The Internet & the Unforeseen

Liseli Pennings, last year’s speaker for our Central Virginia Chapter’s training event, ‘Investigating on the Internet’, made the comment during her presentation that on-line investigative tools are outstanding for working unforeseen fraud events.  When a potential fraud risk has been identified through routine risk assessment, what its effects would be can be discussed and hypothetically anticipated to some degree as part of the assessment.  However, Liseli pointed out, when catastrophic fraud events occur without warning, seemingly out of the blue, and no mitigation has been discussed or is even immediately possible, the results can be devastating to our clients. When these types of sudden, unforeseen fraud events occur, rapid information gathering can be critical to a successful investigative outcome and that’s where skillful use of the internet comes in.

Liseli’s comment got me to thinking about a key question.  Are these types of fraud events truly unforeseeable or are they caused by a failure to gather adequate information on the front end to anticipate them and their effects? Unanticipated fraud events and their effects typically are associated with financial factors. However, as we’ve often discussed on this blog, some of the most catastrophic events can be non-financial in nature, such as damage to reputation, which also can lead to financial losses. As part of their proactive risk assessment processes, fraud examiners can play a vital role in monitoring the client’s environment and providing valuable information to management to help identify and mitigate these types of risks.  If an organization is not prepared for these types of sudden, catastrophic fraud events, the losses can sink the organization; only look at what happened to Martha Stewart Enterprises because of her trading scandal and to Target because of the overnight revelation of the hacking of its customer accounts as well as to a host of others.

Viewed narrowly in hindsight, there seems to have been little these companies could realistically have done on the front end to mitigate the effects of such unforeseen events.  The only way to manage such events effectively is to convert them from unforeseen to foreseeable events with potential for catastrophic losses that can be mitigated through anticipation and preparation. Anticipating the potential for such events is critical, requiring information that is current, forward-looking, frequent, comprehensive, reliable, and diversified and available, to an ever-growing extent, to the CFE on the public internet.  Systematic use of the internet to broaden the scope of fraud risk assessment is a trend only now firmly taking hold.

Fraud prevention and mitigation related decision-making takes place in the present and affects the present but, more importantly, it affects the future. Historic information is valuable for some decisions but, to be effective, the information gathered for most decisions must be current and updated continuously. In this respect, CFE’s and risk managers should consider the nature of the information source and the frequency with which it is updated. For example, printed encyclopedias become dated quickly. Web and mobile sources may be considered the most current, but, as Liseli pointed out last year, this is not always the case. The very abundance of internet related resources requires of those gathering on-line information that they exercise extra care in specifying how information is verified and how often as well as when and under what circumstances it is updated.  To have comprehensive and diversified information, examiners must accept that some information they uncover won’t be completely reliable. Knowing that, they must have a methodology for evaluating the degree of reliability of each source, gathering corroborating and refuting information, and discerning the truth among the conflicting information.

When assessing the probability potential for unforeseen fraud events within the context of a client environment, CFE’s and loss prevention managers should avoid the tendency to plan and act based solely on past events and risks. Internet based scanning and assessment systems and processes ideally should be developed to anticipate the next wave of risks that might be carrying unforeseen events ever closer to the organization. It would be simple if dealing with one unforeseen fraud event eliminated all others but fraud examiners especially are aware of how often one fraud spawns another.

In casting a wider, on-line based, risk assessment net forward looking examiners might ask questions like:

–What is the next wave of technological, societal, industrial, and environmental changes that could affect my client organization, and what will be their implications for the organization?

–Have organizations that have a “bring-your-own-device” policy for cell phones, tablets, and other devices considered all the potential implications of such a policy, including privacy issues and the potential risk to proprietary information?

–What information on these devices is discoverable in legal cases?

–Are these sources included in the fraud assessment process?

–How quickly are events changing within the organization and its environment?

How do CFE’s sift through this deluge of information to glean what is relevant to the organization? What filters are available within the media in use? Which sources have features available that push the information to the user based on chosen criteria?

Some such sources are …

–Industry and trade organizations, especially including websites, magazines, newsletters, forums, and roundtables.
–Social media.
–News outlets such as print, Internet, and cable television.
–Think tanks and consultants.
–Governmental and quasi-governmental organizations.
–Personnel using cutting-edge technology.

Unforeseen financial related fraud events most often arise from a lack of information.  To be effective, information gathering must expand beyond those sources that are most familiar to risk assessment professionals and to others like CFEs involved in risk management; the more diverse the sources, the more effective the information gathering. Gathering information from only neutral sources may seem on the surface to be the most effective strategy; but this can create a severe deficit of information. Information from sources in competition with or in opposition to the client organization should be included. This will include information from sources that have a different political stance, moral compass, or divergent viewpoint. Gathering information from governmental organizations should include a wide variety of domestic and international sources. Information gatherers must evaluate the political purpose behind the information, its slant, and the reliability of the information.

Unforeseen fraud events can be devastating to an organization, not just because they are catastrophic, but because they are unexpected and initially mysterious in nature. But like all events, if they can be better understood and anticipated, their effects can be managed and mitigated so they will not be as damaging to the organization.  The use of as many information sources as possible, including those internet based,  is key to assessing their risk and potential impact.

Assessing the Unknown

Some level of uncertainty and risk must exist in any fraud examination involving financial statement fraud. For example, there may be uncertainty about the competence of management and the accounting staff, about the effectiveness of internal controls, about the quality of evidence, and so on. These uncertainties or risks are commonly classified as inherent risks, control risks, or detection risks.

Assessing the degree of risk present and identifying the areas of highest risk are critical initial steps in detecting financial statement fraud. The auditor specifically evaluates fraud risk factors when assessing the degree of risk and approaches this risk assessment with a high level of professional skepticism, setting aside any prior beliefs about management’s integrity.  Knowledge of the circumstances that can increase the likelihood of fraud, as well as other risk factors, should aid in this assessment.

SAS 99 identifies fraud risk categories that auditors and fraud examiners may evaluate in assessing the risk of fraud. The three main categories of fraud risk factors related to fraudulent financial reporting are management characteristics, industry characteristics and operating characteristics including financial stability.

Management characteristics pertain to management’s abilities, pressures, style, and attitude as they have to do with internal control and the financial reporting process. These characteristics include management’s motivation to engage in fraudulent financial reporting – for instance, compensation contingent on achieving aggressive financial targets; excessive involvement of non-financial management in the selection of accounting principles or estimates; high turnover of senior management, counsel, or board members; strained relationship between management and external auditors; and any known history of securities violations.

Industry characteristics pertain to the economic and regulatory environment in which the entity operates, ranging from stable features of that environment to changing features such as new accounting or regulatory requirements, increased competition, market saturation, or adoption by the company of more aggressive accounting policies to keep pace with the industry.

Operating characteristics and financial stability encompass items such as the nature and complexity of the entity and its transactions, the geographic areas in which it operates, the number of locations where transactions are recorded and disbursements made, the entity’s financial condition, and its profitability. Again, the fraud examiner would look for potential risk factors, such as significant pressure on the company to obtain additional capital, threats of bankruptcy, or hostile take-over.

The two primary categories of fraud risk factors related to asset misappropriation are susceptibility of assets to misappropriation and adequacy of controls.  Susceptibility of assets to misappropriation refers to the nature or type of an entity’s assets and the degree to which they are subject to theft or a fraudulent scheme.  A company with inventories or fixed assets that includes items of small size, high value, or high demand often is more susceptible, as is a company with easily convertible assets such as diamonds, computer chips or large amounts of cash receipts or cash on hand.  Cash misappropriation is also included  in this category through fraudulent schemes such as vendor fraud. Adequacy of controls refers to the ability of controls to prevent or detect misappropriations of assets, owning to the design, implementation and monitoring of such controls.

SAS 99 discusses fraud risk factors in the context of the fraud triangle which we’ve often discussed on this blog.  SAS 99 also suggests that the auditor consider the following attributes of risk:

–Type of risk that may be present – that is fraudulent financial reporting, asset misappropriation and/or corruption.

–Significance of risk – that is whether it could result in a material misstatement.

–Likelihood of the risk

–Pervasiveness of the risk – that is whether it relates to the financial statements as whole or to just particular accounts, transactions or assertions.

Finally, management selection and application of accounting principles are important factors for the examiner to consider.

The Straight Scoop on Risk

risk-assessmentAny practicing auditor will tell you that information requests, getting the information needed to perform an audit or review, can be one of the most frustrating aspects of any audit work and the information requests involved with fraud risk assessments are no exception.  To successfully complete his or her assessment the CFE must develop a thorough understanding of the client’s overall system of internal control, with special emphasis on those controls over financial transactions that reduce or mitigate fraud risk.  Information requests usually signal the transition from planning to fieldwork for the CFE. How the request for that information is made sets the tone for the assessment, and can help or hurt the CFE-to-client relationship. It can also positively or negatively impact the overall achievement of review objectives, so it’s important to spend the time to get this step right.

It’s been my experience that reviewers new to CFE practice tend to compile their requests for information hastily under the assumption that the sooner they request the information; the sooner they’ll get the reply. However, as we’ve all experienced, information requests can get lost, forgotten, or ignored, and weeks can go by with no response.  Since CFE’s aren’t generally easily deterred, the problem is typically addressed by sending follow-up emails, leaving voice mails, and, as a last resort, knocking on the CFO’s office door in an attempt to get all the requested information prior to the start of serious fieldwork. And the initial request is only the beginning. During some reviews, information requests seem to never end. If the first request was for a list of key customers, a second request for invoicing procedures soon follows and the whole request process starts all over again moving like an arrow straight on through to the end of the assessment.

An alternative way around all this requires a little more work on the front-end but organizes requests so that they are received by the target data source quicker, questions are answered faster, and the CFE builds a stronger relationship with the client.  This is done by scheduling a formal, face to face meeting with the provider of the target information in his or her office immediately following the entrance conference with the CEO, corporate counsel or audit committee who engaged the CFE. The CFE should ask for and receive permission from the CEO before any information is requested from subordinate staff.  The upper management sanctioned meeting with targeted business process expert staff (say the CFO or Chief Information Systems Officer-CIFO) takes place prior to any formal information request being submitted in writing.

Meeting with the targeted business process staff in this way has many benefits and, in my experience, is well worth the time. In addition to supporting a general discussion about what information is available, it’s often possible to obtain some of the requested items themselves during the face-to-face.  I’ve often been directed to the information I want on the company databases simply by directly asking the CIFO for it.  Such meetings are invaluable to the CFE since they provide an opportunity to improve her knowledge of the business and strengthen her relationship with business process owners.  This approach doesn’t excuse CFE’s from doing all he or she can beforehand to develop as much understanding as possible of what items of information they would like to request during the meeting; this is because it’s common to learn something new about the control system of a business process in a meeting with a process expert that makes some aspect of the original request irrelevant. The best way to avoid this is to have developed a solid overview of the fraud risk assessment process, its steps and objectives, so the CFE can quickly regroup and make a new request that better satisfies the complete, overall assessment objective.

During the meeting(s) with individual process owners the CFE should provide a brief overview of the assessment and its objective(s); this will help communicate the reason for the specific information requests. Through an easy give and take the CFE can explore with the process expert where the requested information is housed and how it might best be accessed. A benefit of this approach is that all clients appreciate having the assessment objectives and requests explained to them in person. They are more willing to provide the documentation and answer the inevitable follow-up questions that arise later because they have a clear understanding of what is needed and why.  If, during the discussion with the process expert, the reviewer realizes a change needs to be made to a request, it can be addressed in real time. This also saves the CFE from having to send an embarrassing email apologizing because he or she inadvertently requested the wrong information.

Following discussion of all the requests, the CFE should consider wrapping up the meeting by asking a few questions about how the business is doing, if any new initiatives are being undertaken, if that new financial system software is meeting expectations, etc. Anything learned about the business will improve the CFE’s ability to make fraud prevention recommendations and may identify other areas of fraud vulnerability to look into at a later time.  Working to obtain this useful control related information is much easier face-to-face than over the phone or via email.

After the meetings with the client’s business process expects are finished, the CFE and his or her team (if any) will be able to start testing immediately because most of the requested documentation has been obtained or its location identified. Another benefit to this approach is efficiency, because it can significantly reduce the time spent waiting and following up with the business process owner. It also allows the CFE to use his or her time effectively.

It is much better to spend one hour with the client up front than to spend an hour each of the following three weeks sending follow-up emails.  The best-case scenario is that the CFE walks out of the meeting with all the information requested in hand or its location identified and ready to start reviewing and testing. The worst-case scenario is that the CFE leaves the meeting without the requested information, but now knows where the supporting documentation is located and can pull the information him or herself. Regardless of the outcome, the auditor has spent time building a stronger relationship with the client’s business process owners and may have received some valuable information related to that department or business process that could never have been obtained through a seemingly endless email drive.

Homecoming 2015


FallLeaves2According to the ACFE presenter at one of our recent live events, 6.4 percent of worldwide fraud cases occur in the education sector, which represents the fifth most-targeted industry by fraudsters out of 23 reported by members of the ACFE.  And the three most frequent fraud schemes reported as perpetrated in the education sector are billing schemes, fraudulent expense reimbursements and corruption schemes.  Most of the reporting CFE’s also seem to agree that nonprofit institutions’ greatest fraud related challenge is mitigating reputational risk. Good faculty members and students won’t join fraudulent universities. Governments and donors won’t financially contribute to organizations they don’t trust.

Thus, institutions of higher learning aren’t anymore immune to fraud than any other large organization. However, the probability of occurrence of fraud risks may be somewhat higher in colleges and universities because of their promoted environment of collegiality, which may lead to more decentralization and a consequent lack of basic internal controls.  During recent years, Federal and state governments, as well as donors, have increased the pressure on universities to implement better governance practices and on their boards of governors to exercise their fiduciary responsibilities more efficiently.

Which brought our ACFE  speaker to the issue of regular risk assessments, but tailored specifically to the unique needs of the educational environment.  Colleges and universities around the world should be actively encouraged by their governing boards and counsels to perform regular fraud risk assessments and to vigorously implement and enforce compliance with targeted internal controls, such as proper segregation of duties and surprise audits. Of course, as with all organizations, universities can prevent fraud by segregating a task of requesting a financial transaction from those of approving it, processing the payment, reconciling the transaction to the appropriate accounts and safeguarding the involved asset. Surprise audits should be just that: unannounced supervisory reviews. This creates not just an atmosphere of collegiality and support but one in which the perceived opportunity to commit fraud is lowered.

As I’ve indicated again and again in the pages of this blog, the most powerful fraud prevention measure any organization can take is the education of its staff, top to bottom.  Educating faculty, staff members and students about the university’s ethics (or anti-fraud) policies is important not only to prevent fraud but to preserve the institution’s reputation. It’s also important to develop ethical policies carefully and implement them in accordance with the particular culture and character of the institution.  Culturally, universities, like most nonprofit educational institutions, don’t like heavy-handed policies, or controls, because faculty members perceive them as impediments to their research and teaching activities. After going through an appropriate anti-fraud training program, every employee and faculty member (many higher-education institutions actually view faculty above the instructor level as quasi-independent contractors) should come to understand the nature and role of internal controls as well as the negative consequences associated with fraud. University administrators, faculty and staff members can be motivated to prevent fraud on a basis of self-interest because its occurrence might affect their chances at future promotions and salary increases and tarnish the external reputation of the university, which could then affect its financial situation and, hence,  their individual prospects.

ACFE training tells us that organizational administrators who don’t get honest feedback and don’t hear fraud tips quickly can get in trouble politically, legally and strategically. All universities should implement user-friendly reporting mechanisms that allow anyone to anonymously report fraud and irregular activities plus give healthy feedback on leadership’s own strengths and weaknesses. This will keep direct lines of communication open among all employees and senior university administrators. These tools will not only strengthen the fight against fraud but also advance the university’s strategic mission and refine senior administrators’ leadership styles. You can’t manage something you can’t see.  Such tried and true mechanisms such as independent internal audit departments or audit committees, should oversee reporting mechanisms.

Still, many universities still resist pressure from their external stakeholders to implement hotlines because of concern they might create climates of mistrust among faculty members. Faculty members’ tendency to resist any effort to have their work examined and questioned may explain this resistance.  Necessary cultural changes take some time, but educational institutions can achieve them with anti-fraud training and a substantial dose of ethical leadership and tone at the top.

From a legal perspective, colleges and universities, like any other nonprofit organization, must proactively demonstrate due diligence by adopting measures to prevent fraud and damage to their individual reputations. They’re also financially and ethically indebted to governments and donors to educate tomorrow’s leaders by being able to demonstrate that their internal policies and practices are sound.

Senior university administrators must be able to show that they investigate all credible allegations of fraud. Independent, professional and confidential investigations conducted by you, the CFE, allow a victim university and its senior administrators to:

— determine the exact sources of losses and hopefully identify the perpetrator(s);
— potentially recover some or all of financial damages;
— collect evidence for potential criminal or civil lawsuits;
— avoid possible discrimination charges from terminated employees;
— identify internal control weaknesses and address them;
— reduce future losses and meet budget targets;
— comply with legal requirements such as senior administrators’ fiduciary duties of loyalty and reasonable care;
— reduce imputed university liability which may result from employee misconduct.

As CFE’s we should encourage client universities to adequately train and sensitize administrators, faculty and staff members about their ethics policies, codes of conduct,  and the general problem of occupational fraud in general. Administrators should also consider implementation of anonymous reporting programs and feedback processes among all stakeholders and among the senior administration.  They should consider performing regular fraud risk assessments and implement targeted internal controls, such as proper segregation of duties and conflict-of-interest disclosures. Senior administrators should lead by example and adopt irreproachable behaviors at all times (tone at the top). Finally, faculty members’ job incentives should be aligned with the university’s mission and goals to avoid dysfunctional and illegal practices. All easier said than done, but, as CFE’s,  let’s encourage them to do it when we have the chance!

Control Self-Assessment – A Tool for Fraud Prevention

pumpkin-pie-4That control self-assessment (CSA) can be used as an effective facilitation tool to develop fraud risk assessments is, I’m sure, of no surprise to many of the readers of this blog.  But, for those of you who are not so aware … typically, a control self-assessment session to identify fraud risk is a facilitated meeting of managerial and operational staff (the business process experts) coming together to openly discuss fraud risk prevention objectives related to identified risk factors associated with one or more of a company’s business processes.

Fraud prevention objectives for the business process are identified during the session, as well as obstacles impeding the success of those objectives.  Finally, the team formally suggests, for upper management consideration, ways to overcome identified obstacles and a proposed corrective action plan is prepared.  At the start of the self-assessment session, the participants adopt a Team Operating Agreement to ensure that an open and honest discussion takes place in a threat free environment.  It takes a consensus of the participants to approve the operating agreement which all the participants in the session sign; no management decisions regarding actions to be taken are made during the session.

After the Operating Team Agreement is in place, team members typically develop and approve what they perceive to be a list of fraud prevention objectives for the target business process under discussion.  Once the anti-fraud objectives are defined, the participants enter into a discussion (and develop a list) of what they feel to be the existing overall fraud prevention strengths of the subject process.  Next, the team discusses and develops a list of the hindrances currently preventing the process from achieving its anti-fraud related objectives.  Finally, the team develops recommendations for overcoming the identified hindrances.  Sometimes the team ranks its fraud reduction recommendations by order of importance but this step is not critical.

A CSA for fraud prevention is akin to a risk assessment brainstorming session.  For example, the scope of such a session regarding a financial reporting related business process might be tailored to the risks of financial statement fraud and misstatement as well as to the issue of management override of controls over financial statement reporting.  The objective of the CSA is for the team to identify and discuss fraud risks, fraud scenarios and mitigating controls followed by the preparation of a set of recommendations for referral to management.

For each risk factor identified the CSA team should:

–try to identify what might cause a fraud to occur, or detail the risk factor itself;
–determine the specific fraud risk;
–determine potential fraud schemes or scenarios associated with the risk;
–identify affected financial accounts;
–identify staff positions that could potentially be involved;
–try to assess the type, likelihood, significance and inherent risk(s) involved;
–formulate the controls or changes to controls that could mitigate the risk;
–classify the controls by type (i.e., preventative, detective, entity, and process level);
–identify and assess residual risk.

Certified fraud examiners (CFE’s) have an active role to play in tailoring the CSA format for use in risk identification and mitigation as well as in performing actual facilitation of the CSA sessions.   Specifically, CFE’s can help client staff develop a more detailed, in-depth understanding of complex fraud risks that management and operational staff sometimes only vaguely perceive.  Armed with the knowledge developed during the CSA session(s) and coupled with their risk assessment and group facilitation skills, CFE’s can assist management and the audit committee of the client identify, assess, and develop final fraud risk mitigation strategies to strengthen the fraud prevention program of the organization as a whole.  Following what are sometimes multiple CSA sessions, CFE’s can assist the team in detailing the menu of anti-fraud measures developed during the individual sessions in a report to client management embodying the anti-fraud recommendations of the CSA team members to the Executive Management Team and to the audit committee for their consideration.  It’s up to upper management to decide which of the CSA team’s anti-fraud recommendations to implement and which of the team’s identified risks to accept.

Just a few of the advantages of conducting fraud prevention related CSA’s for critical client business processes include:

–building fraud risk awareness among those middle level managers charged with day-to- day management of our client companies business processes;
–mapping organization wide fraud prevention efforts to specific business processes;
–establishing links between information technology (IT) systems development projects and the broader fraud prevention program;
–identifying, documenting and strengthening fraud prevention skill sets across all the business processes of the organization;
–support for the construction of a strong, management supported fraud prevention program that enjoys full management and board support organization wide.

Evaluating the Fraud Prevention Program Performance of a Contracted Entity

HammerA practicing CFE member of our Chapter, currently based in San Francisco, is in process of conducting a performance review of the fraud prevention program of a major Silicon Valley software developer.  The client firm outsources many of its critical activities; among them numerous IT services, infrastructure, help desk support and various types of financial transaction processing (to name but a few).  All these arrangements appear to be delivering significant value for her client company which, however,  has little or no control over the internal processes of its suppliers, a fact that originally emerged in a fraud risk assessment performed for the client by our member several years back.

The key to the successful performance of the fraud prevention program of a heavily contracted entity lies in defining every outsourced relationship carefully before it even begins and then in actively managing the relationship once it’s been established.  As our member forcefully pointed out to her client a full year before undertaking the present review, to thoroughly evaluate the performance of its fraud prevention program it would be necessary to determine that the client’s relationship requirements for every vendor have been adequately defined and that they continue to reflect the needs of the organization.  It’s vital to the fraud prevention effort that service level agreements have been documented and agreed to by both parties defining financial, business, ethical, legal, privacy and security requirements.  In addition, for the client to have adequate control, all service level agreements must include monitoring, reporting, escalation and conflict resolution clauses to ensure that any fraud related issue can be addressed speedily and appropriately as it arises.

It’s amazing to me how often the issue of business insurance is overlooked in vendor relationships, especially insurance to adequately cover the risk associated with initiating the outsourcing relationship but also continuing coverage in areas that apply to the supported processes on an on-going basis.  Which brings me to the issue of subcontractors; our member indicates that it’s important to confirm as part of the performance evaluation process that all client vendors have a management program in place to ensure compliance with those anti-fraud measures specifically stipulated by the client’s fraud prevention program.

Conflicts of interest, which can be an issue with any vendor and are especially important to the effectiveness of fraud prevention programs,  should be thoroughly researched before entering into any support contract.  This same concern exists for vendor use of the client’s intellectual property and regarding the business stability of the vendor and for ensuring that safeguards exist to cover the privacy and security of any of the client’s data in the vendor’s possession.

With the suite of vendors selected and the outsourcing relationships implemented and in actual operation, our member says it’s important for fraud prevention performance that the outsourcing client continually manage the outsourced business processes to see that its fraud prevention requirements continue to be met.

All organizations, but especially those required to comply with regulatory requirements, should have in hand a mature vendor management program.  The CFE evaluating the performance of the fraud prevention program will need to find evidence of a defined vendor selection process including a definition of the data and client materials over which the vendor(s) is to have control.  The vendor management program should contain a full set of defined business objectives that the vendor is required to meet and a set of contractually defined responsibilities and service level agreements with a mechanism for regular client management oversight to guarantee compliance.  Every vendor agreement should contain a right to audit clause and specify the performance of a periodic fraud risk assessment to address and respond to the emerging fraud risks the client faces.  There must also be 1) vendor support for on-site client audits of vendor procedures controlling client assets, 2) periodic rating of the services provided against contract defined objectives, 3) regular assessment of the adequacy and cost effectiveness of the services provided and 4) last but not least, regular, proactive reporting to the client that ensures vendor compliance with defined requirements.

Just as we recognize that each of our client organizations is responsible for developing and implementing a comprehensive fraud prevention program, a strong program is especially critical for contracted entities because, whether the client chooses to perform critical business processes with internal or external resources, the client is still fully responsible for adequate performance.  Fraud prevention program performance evaluations of contracted entities conducted by fraud examiners need to be at least through enough to assure management of adequate performance since lenders and regulatory and standards bodies will not relieve management  of its responsibility to ensure outsourced services meet stated fraud prevention requirements.

In summary, as a component of the fraud prevention program every organization needs to develop generalized, mature vendor management programs to ensure that any outsourced services are operating effectively and securely, including specifying agreement requirements before finalizing and monitoring the service during the contract period.

Thanks from all of us to our San Francisco member for sharing key elements of her performance review experience with us!

Testing the Key to a Strong AML Program

KitchenSinkOur RVACFES Chapter virtual meeting lecture topic for July-August 2014 is ‘Money Laundering 101’.  Although the lecture (good for two CPE credits), represents a solid overview of the money laundering phenomena from the point of view of the practicing fraud examiner confronted with a real world case for investigation, one of our members has asked if we might provide a little additional guidance on CFE conducted reviews of the quality of organizational Anti-Money Laundering (AML) programs as a supplement to the lecture material.

Money laundering is the process of making dirty money look clean; it’s the conversion or transfer of property knowing it is derived from a criminal offense, for the purpose of concealing or disguising its illicit origin, or assisting any person who is involved in the commission of the crime to evade the legal consequences of his or her action.  Why is it necessary for criminals to launder their gains?  Crimes such as smuggling human beings, embezzlement, insurance fraud, bribery and drug trafficking can produce large volumes of profits and create a strong incentive to legitimize the proceeds through laundering using financial institutions.  As this month’s lecture points out, criminals attempt to use financial institutions and other legitimate conduits for disguising the source(s) of their income.

According to our parent organization, the Association of Certified Fraud Examiners (ACFE), any effective AML program should feature the appointment of a senior corporate officer responsible for ensuring that the specific risks associated with money laundering are understood, addressed and mitigated enterprise-wide.    Mitigation implies that formal policies, procedures and controls have been developed that address local anti-money laundering regulations as well as the laundering recommendations made by the Financial Action Task Force (FATF), a Paris-based intergovernmental body formed in 1989 by the Group of Seven Industrialized Nations.  In keeping with the FATF recommendations, as a fraud examiner, you should expect that the enterprise you’re reviewing has implemented a risk based approach to identify the particular laundering risks associated specifically with its clients, geography, products and delivery channels.  There should also be evidence of the client’s implementation of dynamic, rules-based transaction monitoring for purposes of identifying and reporting suspicious funds flow activity.  Finally, it’s essential that a staff training program be fully operational and that it’s been fully customized to the specific functions and activities of the business.

If the client appears to have a functioning AML program but you can’t find evidence of any program testing, you need to recommend prompt corrective action to address the deficiency.  What types of AML tests would the fraud examiner typically expect to see the client perform?  Some examples:

–The identification of cash deposits of US $10,000 or more where the required regulatory reporting has not been completed (as our July-August 2014 lecture material points out, this threshold applies to Canada and the United States but may vary in other countries);

–The AML program should test to identify transactions with countries where trade sanctions exist;

–It’s a good idea for the fraud examiner to apply some published system of industry codes (Dunn & Bradstreet, for example) to list the client’s customers operating in industries with a high association with known money laundering schemes to assess the level of enhanced due diligence performed by the AML program under review with regard to those customers/industries;

–What percentage of the client’s staff hasn’t completed AML training?

–List of client customers with missing Taxpayer Identification Numbers;

–Clients operating from P.O. boxes;

–List of wire transfers from accounts owned by governments into accounts of private investment companies and politically exposed persons;

–Are there transactions processed for clients who reside in sanctioned countries like Cuba or Iran?

But the performance of actual tests is only half the battle.  Testing should be repeated according to a defined schedule and the results included, by severity level, in a formal report distributed to the business owners and senior management.  The most material of findings would represent test results representing issues where there are no present compensating controls in place for deficiencies that directly contravene local, State or Federal laws.  Medium level findings would encompass those issues that management feels are material, but some contravening controls are presently in place.  Low level risk test findings are minor control weaknesses whose correction may or may not be considered.  The test results severity levels are useful for assigning an overall performance rating to the organization’s AML program.

As with all such risk based approaches, the AML program should include a defined process to ensure that corrective action plans are expeditiously implemented in accordance with management committed completion dates.  As with all deficiency findings, responsibility for ensuring that corrective action is undertaken timely rests with the business or process owner.

Fraud examiners are strong candidates to conduct functional analysis of AML systems; our work can provide client management with the necessary intelligence to proactively manage identified AML system deficiencies and control the associated risks.  For more information, Chapter members should see this month’s virtual lecture.