Tag Archives: client relations

You Are Your Report

The ACFE tells us that organizing and writing the final fraud investigation report is one of the most challenging tasks that CFE’s report routinely performing in connection with their examinations. Thus, the whole process of communicating the results of our investigations is, and must be, an integral part of any CFE’s practice. As I’m sure every reader of this blog knows, any communication can be challenging, even when the news being delivered is positive, but when the news to be delivered is negative (e.g., analyzing the facts of an embezzlement or presenting the results of an investigation of a complex management fraud), the job of delivering it can be super stressful. In such situations, the CFE’s ability to communicate takes on increased importance. An organized, thoughtful approach can make that task easier and more constructive for all concerned. Therefore, in my opinion, practitioners would do well to apply some key steps to any kind effective communication.

We can take some comfort in realization of the fact that the responsibility for delivering bad news is certainly not unique to fraud examiners. Professionals of all disciplines have developed protocols for communicating news perceived to be negative. These protocols are generally built on the keys to effective information transfer common to all types of communication and stress the importance of having a plan. Where they differ from the general communication guidance with which assurance professionals may already be familiar is their emphasis on specific keys that are particularly helpful in face-to-face meetings and situations requiring investigators to deliver negative news. One such protocol exists under a variety of names but is most frequently dubbed the “ABCDE” mnemonic. Let’s go through the letters of the mnemonic one by one.

The “A” stands for advanced planning. Advance preparation is an especially important element of effectively communicating bad news. It should go without having to be said that CFE’s can avoid wasted time and potentially embarrassing mistakes by having a solid grasp of the facts before delivering any of their findings to others. This includes carefully reviewing findings and confirming their understanding of critical issues well in advance of any reporting. Although fraud examiners often are sometimes familiar with their audience as the result of past interactions (especially if they’re employed by an attorney or an investigative firm), it’s always helpful to gather background information about the target audience of the findings, their level of involvement with and understanding of the issue, and their communication styles so the CFE can tailor the report and/ or related meeting accordingly. Examiners also may consider visualizing the point of view they expect the audience will have regarding the issue in question, because this will likely guide their reactions and questions. And as always, practice makes perfect. It’s better to work out any bugs alone or with a colleague (if you’re lucky enough to have one) than in the midst of a highly charged meeting with attorneys and management present.

“B” addresses the protocol process of building the environment and is especially relevant to face to face presentations of the report. The setting for the meeting also is an important factor, as it should allow the examiner to maintain control over the meeting’s direction. Optimally, the meeting should occur in a place that’s private, where the participants are not distracted, and where interruptions are kept to a minimum. These factors may not be as difficult to control in the case of meetings with an audit committee or in your employing attorney’s office which generally occur in a private conference room, but examiners should consider the practical complications that can arise when meeting with a client manager in his or her office. Distractions created by telephones, e-mail, employees coming and going, or the possibility of being overheard can limit meeting productivity. With this in mind, CFE’s should try to schedule the meeting at a time and place where the participants can devote their full attention to the challenging issues at hand.

Communicating well is the “C” in our mnemonic. To try always to employ direct, clear language to communicate bad news, while still being sensitive to the audience’s feelings, is an imperative skill for investigators to possess. Although it’s sometimes tempting to temper an issue or to use euphemisms to try to soften the blow, that approach can add confusion, and ultimately, only delay the inevitable. A straightforward, honest delivery of the facts is generally the best policy and is, after all, what we’re being paid to do. Never lose sight of the fact that some words (e.g., scam and scheme) are emotionally charged and may elicit negative reactions from the audience. Instead, words such as “suspected scenario”, or “suspected irregularity” better convey the message without unnecessarily offending anyone. Striking the right balance between directness and sensitivity can be difficult, but it’s critical to the successful delivery of bad news. Providing the audience with specific examples from her report can help clarify the CFE’s message without the need for personal, un-objective, or emotion laden words. We know from many ACFE publications and training courses that the majority of communication comes from body language, facial expressions, eye contact, and tone of voice. As fraud examiners and forensic accountants, we need to be aware of these nonverbal cues and keep them in check so they do not undermine delivery of our results. An important and often overlooked aspect of good communication is ensuring that the message sent equals the message received. Remember the old politician’s maxim; “Tell them. Tell them what your said. Tell them again”! It’s important, particularly in the case of bad news, for the examiner to verify that the audience fully understands the message being delivered, both its content and seriousness. Eliciting feedback from the audience will give the CFE an opportunity to confirm what they heard and will enable her to clear up any miscommunication immediately.

Dealing with reactions is the “D” in our mnemonic. As we all know, in the case of fraud reports, there will always be reactions. It’s inevitable, and healthy, that the audience will have questions and want you, the examiner, to provide actual transactions and/or evidence supporting the report findings. CFE’s should be prepared, based on “A” their advanced preparation, to anticipate questions and by gathering supporting documentation in advance, to provide these items during the meeting. Examiners should also expect audience members to offer their own responses or explanations to counter the report findings. Because emotions will be running high, these responses may take the form of a personal attack on the examiner, but s/he must take care not to react defensively or place blame. Above all, we CFE’s must keep in mind that our role is to communicate factual information so that appropriate due diligence can be taken and never to in any way speculate as to guilt or offer value judgments; stick to the facts which will always speak for themselves far more eloquently than you can.

It’s important for management and counsel to identify the immediate impact of the bad news. For example, does this apparent instance of fraud as revealed by the fraud report have immediate regulatory ramifications? Does this situation result in the need for a restatement of financial statements? Should we move forward immediately with terminations or prosecution? The fear of unknown consequences can make bad news seem even worse. By doing some advance research to help address these types of questions, the CFE can make a valuable contribution to the organization by helping to at least begin to define the extent of the unknown. Once the immediate impact has been assessed, the next logical step will be to develop a long-term plan for fixing or mitigating the control problem. Because of the examiner’s familiarity with the mechanics of the underlying issue confronting management and counsel, s/he is in an excellent position to work with other assurance professionals to provide alternatives or suggestions for remediation and for the eventual strengthening of the client’s fraud prevention program. Examiners should be sure to emphasize their willingness to provide additional information or assistance as needed as we assist management and others to arrange the timetable for following up on the results of our investigations.

The Man in the Mirror

I readily confess I would not have won any awards for effective delegation during my early years as a fraud examiner/information systems audit professional. To my mind the buck stopped with the guy in the mirror I saw shaving every morning. I prided myself on being personally capable of performing every routine task of every assignment involved in whatever function I was managing at the time. What finally weaned me from the practice of doing it all myself was the threat of burn-out and the seemingly ever-increasing demands of a typical work week of seventy hours.

The demands of managing in an assurance environment featuring risk assessments, regulatory compliance, fraud investigations, corporate governance, and engagement quality control can be crushing for any new (or not so new) manager but especially so for those unwilling or who simply lack the skills to adequately delegate; those skills usually only come with experience.

While some new to assurance or investigative management may think delegating simply means passing off work to subordinates, the lines of delegation also can occur laterally to peers and upward to superiors. The distinction is important, because in delegating to subordinates, one of the goals is to achieve long term investigative team development. This goal comes with a shift in emphasis from managing to leading. Managing is about getting the work done, whereas leading fosters learning, growth, and a greater sense of responsibility among individual members of the your team.

According to the ACFE, the first step to successful delegation within examination work is recognizing when to let go rather than trying to do too much. For CFEs new to leadership responsibilities, a willingness to delegate can be challenging. CFEs typically advance to management positions as a result of their individual achievements and performance. This advancement fosters a sense that the person best suited to accomplish a given task is the one whose already done it satisfactorily, but that is not the way leaders should think. Even though an assurance professional has advanced to a management position based on past accomplishments, he or she needs to take a broader view of what is in the long term interest of her function group and/or organization. A conscious commitment to delegation can enable the individual manager to not only increase their personal productivity but also (and here I speak from personal experience) gain better control of their lives and, hence, prevent burnout.

An honest self-examination is a precursor to delegation. CFEs and other assurance professionals in a management position need to understand their capabilities and role(s) within the organization. One way to do this is by considering their vision for and the needs of the organization. Then, what are the assurance function’s immediate and long-term goals, including capabilities and developmental needs? Realizing that trusting others, not just one self, to do a high quality job is a personal decision and there can be many barriers to it. What is the nature of your own personal career goals and your priorities for work-life balance? A periodic, wholly candid assessment of these and similar issues can give any manager a better perspective on his or her motives in relation to delegating.

Delegating is more than just shoving work on someone who possesses the skill set to fit the task. Rather, delegating is an opportunity to cultivate members of the investigative team by increasing the number of people who are capable of taking on a bigger role, which can help strengthen the team and create a succession plan in the event of unexpected personnel turnover. How often have we all been witness to the chaos which can ensure when a key staff member leaves and no-one has been groomed to fill her place?

To the extent possible, an new staff CFE should be matched strategically with an assignment that is a bit above his or her head as a way of providing a positive learning experience. Delegating with career development in mind means managers will need to resist playing the role of lifeguard. Subordinates will struggle at times, but managers shouldn’t be too quick to act as helicopter parents and come to the rescue. Instead, managers should remain confident in the basic capabilities of their staff and allow reasonable time for learning and growth, which enables the team to gain experience and add more value to the organization.

Knowing whether a particular assignment is within an examiner’s potential capabilities and can enable him or her to grow professionally, however, is often not an easy task. As managers delegate assignments, they should consider not limiting assignments only to those areas in which an investigator has had prior experience. Also, managers need to avoid the tendency toward primarily delegating interesting or important assignments to the most favored team members; managers should groom everyone on the team not just the superstars; it’s the superstars who are, let’s face it, the most desirable targets for external recruiters. The same is true for undesirable assignments; managers also should spread those among the whole team, which can demonstrate that everyone is treated fairly. A thoughtful delegating process helps keep the assurance team challenged and motivated, thereby reducing the likelihood of losing promising but insufficiently challenged staff members.

Initial parameters need to be established to prevent misunderstandings, deficient productivity, or delays in the timely completion of examinations. All parties involved should have a clear understanding of the delegated assignment and of expectations. However, managers should refrain from giving excessively detailed instructions. Successful delegating does not mean micromanaging anyone. Instead, managers should consider focusing on discussing the objectives, scope, and outcomes of the assignment. When examiners are allowed the flexibility and freedom to perform their work, they not only learn more but also may show considerable ingenuity. Managing CFEs can foster an environment of participative management by encouraging input from subordinates toward refining the plans, expectations, and deadlines, as well as emphasize how the present investigation fits into the larger scheme. When a team member sees the whole process rather than only a part, he or she is less likely to miss a critical matter and may become more motivated to deliver a quality product.

The ACFE recommends that the CFE engagement manager should give his or her subordinates authority to operationally pursue their assignment and to make decisions as they see fit. Delegating the authority is no less important than assigning the responsibility for a task. In the absence of conferring an appropriate level of authority, the team member’s performance could be undercut. Also, examination managers should keep an open mind by welcoming new ideas, innovative suggestions, and alternative proposals from others. Nothing is more motivating for a subordinate than to realize that he or she has a significant ownership stake in the results. This is another reason why managers should delegate as much of an entire assignment, rather than a small portion, as possible. Doing so can help instill a sense of importance and self-esteem for the staff investigator no matter what the number of years of their experience.

Communication is an essential element of successful delegating, and regular updates about progress, results, and deadlines should occur weekly, or sometimes daily, depending on the staff member’s level of experience and the type of assignment. Meetings can be conducted face-to-face, by phone, or through videoconferencing and do not always have to be long to be effective.

As managers check on progress, they should be supportive rather than intrusive and avoid putting a subordinate on the defensive by being too critical. Managers also should allow for communication flexibility by encouraging more immediate contact between progress meetings in the event a matter requiring urgent attention unexpectedly develops.

Any significant delegated assignment should culminate with a constructive evaluation of the subordinate’s performance. Often, there is a tendency to view the simple act of delegation itself as work done. As an old colleague of mine used to say, “A task delegated is a task completed.” Even in a case where the smaller scope of a subordinate’s assignment does not merit an exit session, it is still a boost for team morale to give recognition and show gratitude for the work done.

I have never met an experienced (and successful) CFE investigation team leader who did not embrace the role and significance of delegating. However, the ability to delegate depends on trust, communication, and encouragement. When delegating, assurance managers need to accept the risk that mistakes can and will occur and remember that professionals can learn from their mistakes. Not only is valuable experience gained by the investigative team, but the manager’s time also is freed up for more critical tasks and projects. In the long run, a commitment to delegation serves to strengthen any team of investigators as well as benefit our client organization, whatever and wherever that might be.

Beyond the Sniff Test

Many years ago, I worked with a senior auditor colleague (who was also an attorney) who was always talking about applying what he called “the sniff test” to any financial transaction that might represent an ethical challenge.   Philosophical theories provide the bases for useful practical decision approaches and aids like my friend’s sniff test, although we can expect that most of the executives and professional accountants we work with as CFEs are unaware of exactly how and why this is so. Most seasoned directors, executives, and professional accountants, however, have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis. To their minds, if these preliminary tests give rise to concerns, a more thorough analysis should be performed using any number of defined approaches and techniques.

After having heard him use the term several times, I asked my friend him if he could define it.  He thought about it that morning and later, over lunch, he boiled it down to a series of questions he would ask himself:

–Would I be comfortable as a professional if this action or decision of my client were to appear on the front page of a national newspaper tomorrow morning?
–Will my client be proud of this decision tomorrow?
–Would my client’s mother be proud of this decision?
–Is this action or decision in accord with the client corporation’s mission and code?
–Does this whole thing, in all its apparent aspects and ramifications, feel right to me?

Unfortunately, for their application in actual practice, although sniff tests and commonly used rules are based on ethical principles and are often preliminarily useful, they rarely, by themselves, represent a sufficiently comprehensive examination of the decision in question and so can leave the individuals and client corporations involved vulnerable to making unethical decisions.  For this reason, more comprehensive techniques involving the impact on client stakeholders should be employed whenever a proposed decision is questionable or likely to have significant consequences.

The ACFE tells us that many individual decision makers still don’t recognized the importance of stakeholder’s expectations of rightful conduct. If they did, the decisions made by corporate executives and by accountants and lawyers involved in the Enron, Arthur Andersen, WorldCom, Tyco, Adephia, and a whole host of others right up to the present day, might have avoided the personal and organizational tragedies that occurred. Some executives were motivated by greed rather than by enlightened self-interest focused on the good of all. Others went along with unethical decisions because they did not recognize that they were expected to behave differently and had a duty to do so. Some reasoned that because everyone else was doing something similar, how could it be wrong? The point is that they forgot to consider sufficiently the ethical practice (and duties) they were expected to demonstrate. Where a fiduciary duty was owed to future shareholders and other stakeholders, the public and personal virtues expected (character traits such as integrity, professionalism, courage, and so on), were not sufficiently considered. In retrospect, it would have been wise to include the assessment of ethical expectations as a separate step in any Enterprise Risk Management (ERM) process to strengthen governance and risk management systems and guard against unethical, short-sighted decisions.

It’s also evident that employees who continually make decisions for the wrong reasons, even if the right consequences result, can represent a high governance risk.  Many examples exist where executives motivated solely by greed have slipped into unethical practices, and others have been misled by faulty incentive systems. Sears Auto Center managers were selling repair services that customers did not need to raise their personal commission remuneration, and ultimately caused the company to lose reputation and future revenue.  Many of the classic financial scandals of recent memory were caused by executives who sought to manipulate company profits to support or inflate the company’s share price to boost their own stock option gains. Motivation based too narrowly on self-interest can result in unethical decisions when proper self-guidance and/or external monitoring is lacking. Because external monitoring is unlikely to capture all decisions before implementation, it is important for all employees to clearly understand the broad motivation that will lead to their own and their organization’s best interest from a stakeholder perspective.

Consequently, decision makers should take motivations and behavior expected by stakeholders into account specifically in any comprehensive ERM approach, and organizations should require accountability by employees for those expectations through governance mechanisms. Several aspects of ethical behavior have been identified as being indicative of mens rea (a guilty mind).  If personal or corporate behavior does not meet shareholder ethical expectations, there will probably be a negative impact on reputation and the ability to reach strategic objectives on a sustained basis in the medium and long term.

The stakeholder impact assessment broadens the criteria of the preliminary sniff test by offering an opportunity to assess the motivations that underlie the proposed decision or action. Although it is unlikely that an observer will be able to know with precision the real motivations that go through a decision maker’s mind, it is quite possible to project the perceptions that stakeholders will have of the action. In the minds of stakeholders, perceptions will determine reputational impacts whether those perceptions are correct or not. Moreover, it is possible to infer from remuneration and other motivational systems in place whether the decision maker’s motivation is likely to be ethical or not. To ensure a comprehensive ERM approach, in addition to projecting perceptions and evaluating motivational systems, the decisions or actions should be challenged by asking such questions as:

Does the decision or action involve and exhibit the integrity, fairness, and courage expected? Alternatively, does the decision or action involve and exhibit the motivation, virtues, and character expected?

Beyond the simple sniff test, stakeholder impact analysis offers a formal way of bringing into a decision the needs of an organization and its individual constituents (society). Trade-offs are difficult to make, and can benefit from such advances in technique. It is important not to lose sight of the fact that the concepts of stakeholder impact analysis need to be applied together as a set, not as stand-alone techniques. Only then will a comprehensive analysis be achieved and an ethical decision made.

Depending on the nature of the decision to be faced, and the range of stakeholders to be affected, a proper analysis could be based on any of the historical approaches to ethical decision making as elaborated by ACFE training and discussed so often in this blog.  A professional CFE can use stakeholder analysis in making decisions about financial fraud investigations, fraud related accounting issues, auditing procedures, and general practice matters, and should be ready to prepare or assist in such analyses for employers or clients just as is currently the case in other areas of fraud examination. Although many hard-numbers-oriented executives and accountants will be wary of becoming involved with the “soft” subjective analysis that typifies stakeholder and ethical expectations analysis, they should bear in mind that the world is changing to put a much higher value on non-numerical information. They should be wary of placing too much weight on numerical analysis lest they fall into the trap of the economist, who, as Oscar Wilde put it: “knew the price of everything and the value of nothing.”

The CFE, Management & Cybersecurity

Strategic decisions affect the ultimate success or failure of any organization. Thus, they are usually evaluated and made by the top executives. Risk management contributes meaningfully and consistently to the organization’s success as defined at the highest levels. To achieve this objective, top executives first must believe there is substantial value to be gained by embracing risk management. The best way for CFEs and other risk management professionals to engage these executives is to align fraud risk management with achievement (or non-achievement) of the organization’s vital performance targets, and use it to drive better decisions and outcomes with a higher degree of certainty.

Next, top management must trust its internal risk management professional as a peer who provides valuable perspective. Every risk assurance professional must earn trust and respect by consistently exhibiting insightful risk and performance management competence, and by evincing a deep understanding of the business and its strategic vision, objectives, and initiatives. He or she must simplify fraud risk discussions by focusing on uncertainty relative to strategic objectives and by categorizing these risks in a meaningful way. Moreover, the risk professional must always be willing to take a contrarian position, relying on objective evidence where readily available, rather than simply deferring to the subjective. Because CFEs share many of these same traits, the CFE can help internal risk executives gain that trust and respect within their client organizations.

In the past, many organizations integrated fraud risk into the evaluation of other controls. Today, per COSO guidance, the adequacy of anti-fraud controls is specifically assessed as part of the evaluation of the control activities related to identified fraud risks. Managements that identify a gap related to the fraud risk assessments performed by CFEs and work to implement a robust assessment take away an increased focus on potential fraud scenarios specific to their organizations. Many such managements have implemented new processes, including CFE facilitated sessions with operating management, that allow executives to consider fraud in new ways. The fraud risk assessment can also raise management’s awareness of opportunities for fraud outside its areas of responsibility.

The blurred line of responsibility between an entity’s internal control system and those of outsourced providers creates a need for more rigorous controls over communication between parties. Previously, many companies looked to contracts, service-level agreements, and service organization reports as their approach to managing service organizations. Today, there is a need to go further. Specifically, there is a need for focus on the service providers’ internal processes and tone at the top. Implementing these additional areas of fraud risk assessment focus can increase visibility into the vendor’s performance, fraud prevention and general internal control structure.

Most people view risk as something that should be avoided or reduced. However, CFEs and other risk professionals realize that risk is valued when it can help achieve a competitive advantage. ACFE studies show that investors and other stakeholders place a premium on management’s ability to limit the uncertainty surrounding their performance projections, especially regarding fraud risk. With Information Technology budgets shrinking and more being asked from IT, outsourcing key components of IT or critical business processes to third-party cloud based providers is now common. Management should obtain a report on all the enterprise’s critical business applications and the related data that is managed by such providers. Top management should make sure that the organization has appropriate agreements in place with all service providers and that an appropriate audit of the provider’s operations, such as Service Organization Controls (SOC) 1 and SOC 2 assurance reports, is performed regularly by an independent party.

It’s also imperative that client management understand the safe harbor clauses in data breach laws for the countries and U.S. states where the organization does business.  In the United States, almost every state has enacted laws requiring organizations to notify the state in case of a data breach. The criteria defining what constitutes a data breach are similar in each state, with slight variations.

CFE vulnerability assessments should strive to impress on IT management that it should strive to make upper management aware of all major breach attempts, not just actual incidents, made against the organization. To see the importance of this it’s necessary only to open a newspaper and read about the serious data breaches occurring around the world on almost a daily basis. The definition of major may, of course, differ, depending on the organization’s industry and whether the organization is global, national, or local.  Additionally, top management and the board should plan to meet with the organization’s chief information security officer (CISO) at least once a year. This meeting should supplement the CFE’s annual update of the fraud risk assessment by helping management understand the state of cybersecurity within the organization and enabling top managers and directors to discuss key cybersecurity topics. It’s also important that the CISO is reporting to the appropriate levels within the organization. Keep in mind that although many CISOs continue to report within the IT organization, sometimes the chief information officer’s agenda conflicts with the CISO’s agenda. As such, the ACFE reports that a better reporting arrangement to promote independence is to migrate reporting lines to other officers such as the general counsel, chief operating officer, chief risk officer (CRO), or even the CEO, depending on the industry and the organization’s degree of dependence on technology.

As a matter of routine, every organization should establish relationships with the appropriate national and local authorities who have responsibility for cybersecurity or cybercrime response. For example, boards of U.S. companies should verify that management has protocols in place to guide contact with the Federal Bureau of Investigation (FBI) in case of a breech; the FBI has established its Key Partnership Engagement Unit, a targeted outreach program to senior executives of major private-sector corporations.

If there is a Chief Risk Officer (CRO) or equivalent, upper management and the board should, as with the CISO, meet with him or her quarterly or, at the least, annually and review all the fraud related risks that were either avoided or accepted. There are times when a business unit will identify a technology need that its executive is convinced is the right solution for the organization, even though the technology solution may have potential security risks. The CRO should report to the board about those decisions by business-unit executives that have the potential to expose the organization to additional security risks.

And don’t forget that management should be made to verify that the organization’s cyber insurance coverage is sufficient to address potential cyber risks. To understand the total potential impact of a major data breach, the board should always ask management to provide the cost per record of a data breach.

No business can totally mitigate every fraud related cyber risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Cyber risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation between its management and supporting professionals, a conversation whose importance requires participation by an organization’s audit committee and other board members, with the CFE and the CISO serving increasingly important roles.

Bob the Builder

bobthebuilder

by Rumbi Petrozzello
2016 Vice President – Central Virginia ACFE Chapter

The soundtrack of my summer was a cacophony of drills, sanders and related discordant noises, all guaranteed to drive me to near insanity. Since the bulk of this seemed to be happening right outside my window, the result was a shrinking view of the sky, more views into the homes of my neighbors than I ever wanted and a near-constant film of dust on everything in our home, despite all our best efforts. I thought that construction was looming large only in my life but, coming off a trip to Nashville, Tennessee, I see that I’m far from alone. I took a tour bus around the city and, it almost seemed the city skyline was made up of little else than the silhouettes of massive construction cranes. There’s a lot going on in an industry that, at least in New York City, has a history of control by organized crime.

It’s hardly surprising – construction projects span long periods of time and require many moving parts. There can be several contractors responsible for different parts of a construction project, and each of those contractors hires subcontractors. Because projects range from moderate to long term, contractors and subcontractors will bill periodically for work in progress and, there is a lot of leeway for estimating just how much of the project has been completed. Depending on the contract, there may be head room to get paid for cost overruns and, if there’s room for that, you can be sure that someone is going to try to take advantage. There is no shortage of ways in which fraud or error can occur when it comes to construction. Controlling various aspects of the construction industry was lucrative business for organized crime for many years. Nowadays, the regular fraudster on the street has also found his way into profiting from construction related fraud – if the opportunity is there, the ethically challenged always seem to find ways to exploit it.

As forensic accountants and fraud examiners, we may find ourselves being called upon to investigate such frauds. Sometimes companies decide to be proactive and bring us in to assess, suggest and institute practices that will help prevent, detect and deter fraudulent activities. In either case, there is much that we can do. An important aspect of this type of effort is our emphasizing to the client and the wider business community the importance of well-kept and comprehensive business records. As tedious as some of this may feel to those maintaining the records, such records can prove invaluable when things go wrong. Contractors and their subcontractors should both maintain up-to-date ledgers. The ledger information should be corroborated by supporting information. Examples of critical documentation are:

  • Payroll records – this includes matching the ledger information to time cards, information from payroll processing companies and filings with city, state and federal authorities.
  • Bank statements – bank statements should be reconciled to the general ledger and there should be searches for possible bank accounts that are not reported on the ledger. Is the contractor transferring funds to accounts for related companies? What information is on the credit card statements and how does it relate to the contractors’ ledgers? Does information on brokerage accounts match information in the general ledger?
  • Invoices – do the vendors declarations of what’s going on make sense? Do their submitted expenses make sense? Can you immediately understand their expenses or is the information vague and lacking enough detail to determine what the vendor is being paid for? Have costs been misclassified? Follow the money … we should always stop and take the time to look and see where the money is going and why it’s going there.

Many construction projects employ union workers. Because unions tend to be organizations with lots of bureaucracy, it follows that they tend also to be organizations with lots of records. If a union tells you that it does not have many records, that fact alone should raise a red flag. When seeking to verify information from such organizations, there are various standard records we can request:

  • Shop steward report – This is a report that will show the names of the employees working, the times they reported for work and left and out and the number of hours worked. This information can be very useful in testing if the hours claimed are reasonable.
  • Job descriptions – Do the job descriptions make sense and do they match the employees that are claiming to be doing the work? In one case in New York City, a legally blind man was listed on the books as a heavy machinery operator. Subsequent investigation revealed that he was indeed blind; and he never went anywhere near heavy machinery.
  • Member profiles – Review benefits and see to whom the union pays those benefits. Review the records and see if anything jumps out at you as being unusual, requiring further information and perhaps investigation. Do you have a member (or members) listed who’s well-paid for not doing much?
  • Look at the records the general contractor keeps and see if they match the records kept by the union.

If you’ve been brought in to perform proactive fraud prevention and detection work, encourage and suggest that, if one does not already exist, the company set up an effective and comprehensive whistleblower program. Confidential sources are often the most important element of an investigation. These sources can also be very helpful in making sure that you ask for all the documents needed for your specific investigation and they can also make valuable suggestions precisely where else you can look for vital case information.

If my city is anything like yours, there are a lot of construction projects being planned and in the works. You don’t have to look hard at all to find media reporting on cost overruns and fraud in the construction industry. From The Big Dig in Boston to personal tales told to you by friends, there are many ways in which the moving parts of any construction project can be exploited by fraudsters. There are also many ways in which we can be of service as forensic accountants and fraud examiners to deter, detect and investigate every aspect of this exploitation.

The Client Waltz

waltzNot too long ago I attended a dinner meeting out of town and had a short discussion about field work with a fellow fraud examiner working her first fraud examination as part of an investigative team.  The corporate counsel of the client organization had directly engaged her small firm and my new friend and dinner partner was experiencing difficulty in gaining access to the client staff with whom she needed to work to perform her part of the investigation.  The root problem seemed to be that the engaging counsel had failed to adequately brief either the lead fraud examiner or his client on just how the examination was be conducted and, consequently the examiners were experiencing frustration because they didn’t think they were initially working with the right people to get their job done.

All too often, fraud examiners are asked to rely on a small number of primary contacts – such as the controller, chief financial officer, or business process manager – to supply all the information for an engagement. In some instances, these individuals may, as a result of confusion or worse, prevent the examiner from speaking with other members of the area under review – a practice referred to as shuttling. But regardless of whether this occurs, talking only with supervisors and managers may not elicit the detail and precision necessary for an effective review.  It’s critical that CFE’s know how to break down any barriers that keep them from those with actual knowledge of the fraud, while at the same time avoiding any damage to their rapport with the primary review contact (in this case, the corporate counsel).  This can be an intricate dance indeed! By enhancing their interpersonal soft skills, CFE’s can walk this delicate line more effectively and increase the likelihood of an outcome satisfactory to all parties. Several key skills, in particular, help fraud examiners gain access to all relevant client staff and elicit the kind of information that will result in a better investigative product.

As a general rule the CFE team leader should try to set up a detailed engagement planning and ground rule meeting with the primary examination contact(s) before starting the examination and then follow up with a formal engagement letter. Meeting the corporate counsel for lunch, for example, would have helped break the ice and provide a more relaxed environment for initial discussion then the hurried phone call from the client counsel that apparently took place in this case.  During the meeting, the lead CFE should try to identify some common ground that can be used throughout the engagement to shore up the relationship and help build rapport. S/he should also take note of the clients’ mannerisms and reactions and keep them in mind later when performing the review. When posing a tough fraud related question to the client, for example, the auditor can then observe whether the client’s mannerisms change compared to those observed while simply establishing rapport. Subsequent further probing on the part of the review team may be warranted if discrepancies are noted.

It’s always a challenge for a team of fraud examiners to quickly learn as much as possible about the business processes affected by a fraud before speaking directly with process owners. Otherwise, those involved with the fraud may perceive the CFE’s as ill prepared or uninformed and be prompt to try to take advantage of that ignorance. When any team member lacks familiarity with the client’s business, her credibility and professionalism may be called into question, and the relationship with the client can quickly become impaired.

Understanding the basic mechanics of client financial business processes up front enables the team to devote more of their engagement efforts to direct examination work. In other words, it helps ensure team member practitioners don’t spend an inordinate amount of time learning while on the job, focusing instead on staying alert for unusual transactions involving the fraud, changes in suspect behavior, and other potential issues. Moreover, examination subjects are more likely to point out more complex issues and solicit input if they feel comfortable with the examiner’s abilities. These insights, in turn, may lead to opportunities for documenting a wide range of situations useful later in court and subsequent recovery efforts.

And it goes without saying that team members should avoid excessively confident or arrogant behavior. In most instances client employees will know more about their operation than the investigative team, and they deserve respect for their expertise. Client staff should be lead to perceive the team as working collaboratively with them in a didactic manner to help resolve a difficult situation — this approach typically achieves the best results. By contrast, even a perception of an adversarial or gotcha approach can quickly sour the situation and compromise the entire process of the examination.

When asking the tough questions, the ACFE tells us that team members should avoid phrasing that may seem confrontational, and they should refrain from steering the response. For example, instead of saying, “You review the XYZ report weekly, correct?” the examiner could say something like, “Could you help me understand how often you review the XYZ report?” Essentially, CFE’s should ask open ended, nonthreatening questions, followed by requests for clarification. Also, be sure to express interest.  Team members should always try to show genuine interest in the subject’s work. In most instances, client employees are proud of what they do, and are pleased to share the details of their work with those they perceive as experts. Expressing interest can elicit valuable information and enhance the examination quality.  Interest is demonstrated by not appearing rushed and by asking relevant, informed questions.  Although this approach takes time (and CFE’s are always pressed for time), it can lead to insight and knowledge that always proves invaluable during the court room and prosecution phases that so often follow from our work product. For example, the unusual or infrequent irregular transactions/events that may not surface during standard interviews or via sample-based testing but are so vital to our work can often be highlighted in this manner.

Client employees contacted in the course of the investigation should be assured that the team is only interested in the facts and that no one is looking to judge them or their work product. Examiners need to listen carefully and objectively to subjects and avoid approaching discussions with apparent preconceived notions or biases. Maintaining impartiality will not only enhance our results, it should result in a stronger relationship with the main client, even when engagements lead to the confirmation of the suspected fraud.

Clarifying the significance of examination findings and discussing workable approaches for moving forward with the main client, help maintain the CFE to client relationship and establishes the CFE as a trusted fraud expert and advisor. For example, suppose the CFE, during her examination discovers that someone in the organization (not connected with the suspected fraud) has the ability to receive goods into inventory, perform physical inventory procedures (cycle counts), make inventory adjustments based on inventory counts, and directly write off damaged inventory to scrap. When reporting this collateral fact, the CFE might want to do more than simply document the apparent access and segregation of duties issues. S/he might want to elaborate on the finding’s significance for potential future fraud by mentioning the risk of loss of inventory (assets), as the employee’s level of system access provides an opportunity to inappropriately write off usable product as damaged, lost, or never received and then use it for personal gain. Descriptive interactions of this type add value to the examination by enabling our main client to fully appreciate the larger risks (even beyond the present fraud) associated with findings and take appropriate action to address them.

When identifying and framing any fraud related issue, CFE’s should keep its true level criticality in context. Managers and business leaders do not appreciate drama, and overreacting can hurt the examiner’s credibility and rapport with valuable future business contacts. Sticking to the facts can help keep almost any sensitive situation from spinning out of control.

Mindful management of the mechanics of client relations can change a stunted two-step into a graceful waltz.  All it takes is practice.