Tag Archives: anti-fraud training - Page 2

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

Beyond the Sniff Test

Many years ago, I worked with a senior auditor colleague (who was also an attorney) who was always talking about applying what he called “the sniff test” to any financial transaction that might represent an ethical challenge.   Philosophical theories provide the bases for useful practical decision approaches and aids like my friend’s sniff test, although we can expect that most of the executives and professional accountants we work with as CFEs are unaware of exactly how and why this is so. Most seasoned directors, executives, and professional accountants, however, have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis. To their minds, if these preliminary tests give rise to concerns, a more thorough analysis should be performed using any number of defined approaches and techniques.

After having heard him use the term several times, I asked my friend him if he could define it.  He thought about it that morning and later, over lunch, he boiled it down to a series of questions he would ask himself:

–Would I be comfortable as a professional if this action or decision of my client were to appear on the front page of a national newspaper tomorrow morning?
–Will my client be proud of this decision tomorrow?
–Would my client’s mother be proud of this decision?
–Is this action or decision in accord with the client corporation’s mission and code?
–Does this whole thing, in all its apparent aspects and ramifications, feel right to me?

Unfortunately, for their application in actual practice, although sniff tests and commonly used rules are based on ethical principles and are often preliminarily useful, they rarely, by themselves, represent a sufficiently comprehensive examination of the decision in question and so can leave the individuals and client corporations involved vulnerable to making unethical decisions.  For this reason, more comprehensive techniques involving the impact on client stakeholders should be employed whenever a proposed decision is questionable or likely to have significant consequences.

The ACFE tells us that many individual decision makers still don’t recognized the importance of stakeholder’s expectations of rightful conduct. If they did, the decisions made by corporate executives and by accountants and lawyers involved in the Enron, Arthur Andersen, WorldCom, Tyco, Adephia, and a whole host of others right up to the present day, might have avoided the personal and organizational tragedies that occurred. Some executives were motivated by greed rather than by enlightened self-interest focused on the good of all. Others went along with unethical decisions because they did not recognize that they were expected to behave differently and had a duty to do so. Some reasoned that because everyone else was doing something similar, how could it be wrong? The point is that they forgot to consider sufficiently the ethical practice (and duties) they were expected to demonstrate. Where a fiduciary duty was owed to future shareholders and other stakeholders, the public and personal virtues expected (character traits such as integrity, professionalism, courage, and so on), were not sufficiently considered. In retrospect, it would have been wise to include the assessment of ethical expectations as a separate step in any Enterprise Risk Management (ERM) process to strengthen governance and risk management systems and guard against unethical, short-sighted decisions.

It’s also evident that employees who continually make decisions for the wrong reasons, even if the right consequences result, can represent a high governance risk.  Many examples exist where executives motivated solely by greed have slipped into unethical practices, and others have been misled by faulty incentive systems. Sears Auto Center managers were selling repair services that customers did not need to raise their personal commission remuneration, and ultimately caused the company to lose reputation and future revenue.  Many of the classic financial scandals of recent memory were caused by executives who sought to manipulate company profits to support or inflate the company’s share price to boost their own stock option gains. Motivation based too narrowly on self-interest can result in unethical decisions when proper self-guidance and/or external monitoring is lacking. Because external monitoring is unlikely to capture all decisions before implementation, it is important for all employees to clearly understand the broad motivation that will lead to their own and their organization’s best interest from a stakeholder perspective.

Consequently, decision makers should take motivations and behavior expected by stakeholders into account specifically in any comprehensive ERM approach, and organizations should require accountability by employees for those expectations through governance mechanisms. Several aspects of ethical behavior have been identified as being indicative of mens rea (a guilty mind).  If personal or corporate behavior does not meet shareholder ethical expectations, there will probably be a negative impact on reputation and the ability to reach strategic objectives on a sustained basis in the medium and long term.

The stakeholder impact assessment broadens the criteria of the preliminary sniff test by offering an opportunity to assess the motivations that underlie the proposed decision or action. Although it is unlikely that an observer will be able to know with precision the real motivations that go through a decision maker’s mind, it is quite possible to project the perceptions that stakeholders will have of the action. In the minds of stakeholders, perceptions will determine reputational impacts whether those perceptions are correct or not. Moreover, it is possible to infer from remuneration and other motivational systems in place whether the decision maker’s motivation is likely to be ethical or not. To ensure a comprehensive ERM approach, in addition to projecting perceptions and evaluating motivational systems, the decisions or actions should be challenged by asking such questions as:

Does the decision or action involve and exhibit the integrity, fairness, and courage expected? Alternatively, does the decision or action involve and exhibit the motivation, virtues, and character expected?

Beyond the simple sniff test, stakeholder impact analysis offers a formal way of bringing into a decision the needs of an organization and its individual constituents (society). Trade-offs are difficult to make, and can benefit from such advances in technique. It is important not to lose sight of the fact that the concepts of stakeholder impact analysis need to be applied together as a set, not as stand-alone techniques. Only then will a comprehensive analysis be achieved and an ethical decision made.

Depending on the nature of the decision to be faced, and the range of stakeholders to be affected, a proper analysis could be based on any of the historical approaches to ethical decision making as elaborated by ACFE training and discussed so often in this blog.  A professional CFE can use stakeholder analysis in making decisions about financial fraud investigations, fraud related accounting issues, auditing procedures, and general practice matters, and should be ready to prepare or assist in such analyses for employers or clients just as is currently the case in other areas of fraud examination. Although many hard-numbers-oriented executives and accountants will be wary of becoming involved with the “soft” subjective analysis that typifies stakeholder and ethical expectations analysis, they should bear in mind that the world is changing to put a much higher value on non-numerical information. They should be wary of placing too much weight on numerical analysis lest they fall into the trap of the economist, who, as Oscar Wilde put it: “knew the price of everything and the value of nothing.”

Who’s the Boss?

anonymous_maskRumbi Petrozzello, CPA/CFF, CFE
2016 Vice-President – Central Virginia Chapter ACFE

A few weeks ago, I called my aunt and found her quite frazzled. When I asked her what was wrong, she told me about a phone call she had received the day before. The man on the other end of the line claimed to be an IRS agent. He was calling, he said, because she owed a substantial amount of money to the IRS. My aunt was confused because she has faithfully filed tax returns and paid what was due every year. In response, the alleged IRS agent said that her returns had been reviewed and that, due to errors, she owed a lot of money to the IRS and, if she did not pay immediately she would be imprisoned and would lose her Green Card.

Now, my aunt has only recently been approved for permanent residency and, when this call came in, the physical Green Card had not yet arrived in the mail. At his point my aunt started to panic. She did not want to lose her Green Card but, at the same time, she could not understand how she suddenly owed money to the IRS, money she certainly did not have on hand to pay. Then she started to cry. Her daughter, my cousin, happened to walk into the room at that moment and, seeing her mother in such a state, she grabbed the phone and demanded an explanation from whomever was on the line. Fortunately, my cousin immediately identified the scam. She knew that this is never how the IRS goes about trying to collect tax revenue. The IRS will not call you and demand tax payment immediately. And the IRS always gives you the opportunity to dispute a tax bill.

The IRS will never call you to say the police are on their way to arrest you; the IRS will never threaten that you will lose your driver’s license, Green Card or passport; and the IRS will not demand that you go to a money transfer company to send them cash or ask for credit card information over the phone … all demands that these types of scammers routinely make.

So my cousin yelled at the man on the phone and the man, realizing that he had been busted, hung up. My aunt, as I’m sure most readers of this blog know, is not alone, ether as a victim or in her vulnerability.  Just the other day, I listened to a Planet Money podcast, where a woman received a fake IRS call that included the voice of a second man claiming to be a police officer declaring he was on his way to arrest the victim. The caller ID even said 911!  The woman, in a panic even went so far as to go to Western Union and initiate a money transfer. Fortunately, for her, Western Union realized that this was a scam and saved this woman her money. These scammers bank on the power of the authority of institutions such as the IRS and impersonations of the police force to intimidate people into handing over their money with no questions allowed.

Impersonation frauds often feature an email, appearing to come from a high-ranking executive in a company, copied to a lower level employee. This lower level employee is usually someone who has responsibility for, and, therefore, direct access to, the process of transferring payments to vendors.  The text of the fake email instructs the lower-level employee to make a payment to a vendor. This type of scam e-mail tends to have several defining characteristics:

  • Examination of the email header will reveal that it does not come from the executive or even from within the company. For instance, if the email domain of the company is TheCompany.com then the fake domain may be TheCopmany.com. Close enough to be missed by a casual glance but not the same.
  • Sometimes scammers will hack the spoofed sending executive’s email, so the fake request appears to be coming from a legitimate, but actually compromised, email address.
  • Often the executives spoofed as sending this email may not be immediately accessible to the employee – either because they are out of town or because the lines of communication between the employee and executive are convoluted and difficult to access.
  • The instructions will state that the need for payment is urgent and that the employee must do so immediately.
  • Altered payment terms. For a well-known vendor paid regularly, the email will contain new payment instructions to pay into a different bank account from that on record, usually to a foreign, off-shore bank account.

Lower level employees, because they’re intimidated, don’t want get into trouble, or lose their jobs, will often act without question, making the money transfer as instructed. Unfortunately, once the scam has been uncovered, the money and the fraudster are generally long gone.  Though the details vary with these types of scams, what remains constant is that the lower-level employee does not question the instructions because they believe the instructions are coming straight from their boss. They believe that disobeying the sender of the email can lead to a reprimand or other negative consequences so they act without question. Even though some of these fraudsters have been caught, most of the time they take their winnings and simply vanish.

In addition to raising general public awareness of this type of fraud, forensic accountants can also provide services to help deter and detect executive impersonation fraud. System controls can be instituted and adjusted with this risk in mind.  Possible areas of focus are:

  • Both executives and staff should receive training regarding the features of the email they use, so they can be mindful of what links and attachments they open. One way the fraudsters gain access to executive accounts is by hacking systems using malware that they attach to an email. Since the client’s higher level executives are the ones targeted, you should emphasize the importance of their participation in this training. Accounting and finance staff should be special targets of this training upon hire and should receive regularly scheduled refreshers.
  • Employee training and payment policies should emphasize that, regardless of who is asking, the proper procedures must be kept in place. Even if the CEO is asking for this urgent transfer, the employee must get the required authorizations and verify that the payment is going to a valid vendor. Employers should be encouraged to question authority if a transaction appears out of ordinary; it is the responsibility of management to assure employees that there will never be reprisals for asking questions about any unusual payment; management should initiate formal channels for the asking of such questions.
  • A company should have a social media policy and social media training for employees so prevent employees from inadvertently sharing sensitive company information that would be helpful to hackers.
  • There should be systems in place that, similar to check payments, wire transfers cannot be released by an employee without prior authorization – and never original authorization in the form of an unsupported email from an executive, no matter at what level. Often the controls over check payments are not as rigorous as those for wire transfers. I met a controller at a not for profit organization. During a conversation, he told me how, even though he is not an authorized check signer (because he performs the bank reconciliations) the bank added him to a list of those authorized to initiate wire transfers.
  • There should be a system to verify and confirm wire information for every vendor and any procedural changes should be checked with the company, either by getting in direct touch with the vendor or using the information that the company already has on file.

Forensic accountants are perfectly placed to help clients deter, prevent and detect executive impersonation fraud through strengthening control systems, employee training (including for executives) and maintaining public awareness of this ever more common type of fraud. Electronic communications and on-line banking services can be very convenient and fast but, taking the time to check where instructions are coming from and to what they relate as well as making sure that all such transactions are fully and properly authorized can go a long way to saving a company from the massive headaches consequent on fraud related losses.

The last thing any executive wants is to come back from a fishing trip (that she posted about beforehand in detail on social media), to find that the corporate bank account has been cleaned out by a lower level employee intimidated into acting on the vacationing executive’s alleged say so.