Tag Archives: fraud risk assessment

Loose Ends

A forensic accountant colleague of mine often refers to “loose-ends”. In his telling, loose-ends are elements of an investigation that get over-looked or insufficiently investigated which have the power to come back and bite an examiner with ill effect. That a small anomaly may be a sign of fraud is a fact that is no surprise to any seasoned investigator. Since fraud is typically hidden, the discovery of fraud usually is unlikely, at least at the beginning, to involve a huge revelation.

The typical audit does not presume that those the auditor examiners and the documents s/he reviews have something sinister about them. The overwhelming majority of audits are conducted in companies in which material fraud does not exist. However, the auditor maintains constant awareness that material fraud could be present.

Imagine a policewoman walking down a dark alley into which she knows a suspect has entered just before her. She doesn’t know where the suspect is, but as she walks down that alley, she is acutely aware of and attuned to her surroundings. Her senses are at their highest level. She knows beyond the shadow of a doubt that danger lurks nearby.

Fraud audits (and audits in general) aren’t like that. Fraud audits are more like walking through a busy mall and watching normal people go about their daily activities. In the back of the examiner’s mind, he knows that among all the shoppers are a few, a very few, shoplifters. They look just like everyone else. The examiner knows they are there because statistical studies and past experience have shown that they are, but he doesn’t know exactly where or who they are or when he will encounter them, if at all. If he were engaged to find them, he would have to design procedures to increase the likelihood of discovery without in any way annoying the substantial majority of honest shoppers in whose midst they swim.

A fraud risk assessment evaluates areas of potential fraud to determine whether the current control structure and environment are addressing fraud risk at a level that aligns with the organization’s risk appetite and risk tolerance. Therefore, it is important during the development and implementation of the risk management program to specifically address various fraud schemes to establish the correct levels of control.

It occurred to me a while back that a fraud risk assessment can of thought of as ignoring a loose-end if it fails to include sufficient consideration of the client organization’s ethical dimension. That the ethical dimension is not typically included as a matter of course in the routine fraud risk assessment constitutes, to my mind, a lost opportunity to conduct a fuller, and potentially, a more useful assessment. As part of their assessments, today’s practitioners can potentially use surveys, Control Self-Assessment sessions, focus groups, and workshops with employees to take the organization’s ethical temperature and determine its ethical baseline. Under this expanded model, the most successful fraud risk assessment would include small brainstorming sessions with the operational management of the business process(s) under review. Facilitated by a Certified Fraud Examiner (CFE), these assessments would look at typical fraud schemes encountered in various areas of the organization and identify the internal controls designed to mitigate each of them. At a high level, this analysis examines internal controls and the internal control environment, as well as resources available to prevent, detect, and deter fraud.

Fraud risk assessments emphasize possible collusion and management overrides to circumvent internal controls. Although an internal control might be in place to prevent fraudulent activity, the analysis must consider how this control could be circumvented, manipulated, or avoided. This evaluation can help the CFE understand the actual robustness and resilience of the control and of the control environment and estimate the potential risk to the organization.

One challenge at this point in the process is ensuring that the analysis assesses not just roles, but also those specific individuals who are responsible for the controls. Sometimes employees will feel uncomfortable contemplating a fellow employee or manager perpetrating fraud. This is where an outside fraud expert like the CFE can help facilitate the discussion and ensure that nothing is left off the table. To ask and get the answers to the right questions, the CFE facilitator should help the respondents keep in mind that:

o Fraud entails intentional misconduct designed to avoid detection.
o Risk assessments identify where fraud might occur and who the potential perpetrator(s) might be.
o Persons inside and outside of the organization could perpetrate such schemes.
o Fraud perpetrators typically exploit weaknesses in the system of controls or may override or circumvent controls.
o Fraud perpetrators typically find ways to hide the fraud from detection.

It’s important to evaluate whether the organization’s culture promotes ethical or unethical decision-making. Unfortunately, many organizations have established policies and procedures to comply with various regulations and guidelines without committing to promoting a culture of ethical behavior. Simply having a code of conduct or an ethics policy is not enough. What matters is how employees act when confronted with an ethical choice; this is referred to by the ACFE as measuring the organization’s ethical baseline.

Organizations can determine their ethical baseline by periodically conducting either CFE moderated Control Self-Assessment sessions including employees from high-risk business processes, through an online survey of employees from various areas and levels within the organization, or through workshop-based surveys using a balloting tool that can keep responses anonymous. The broader the survey population, the more insightful the results will be. For optimal results, surveys should be short and direct, with no more than 15 to 20 questions that should only take a few minutes for most employees to answer. An important aspect of conducting this survey is ensuring the anonymity of participants, so that their answers are not influenced by peer pressure or fear of retaliation. The survey can ask respondents to rate questions or statements on a scale, ranging from 1—Strongly Disagree to 5—Strongly Agree. Sample statements might include:

1. Our organizational culture is trust-based.
2. Missing approvals are not a big deal here.
3. Strong personalities dominate most departments.
4. Pressure to perform outweighs ethical behavior.
5. I share my passwords with my co-workers.
6. Retaliation will not be accepted here.
7. The saying “Don’t rock the boat!” fits this organization.
8. I am encouraged to speak up whenever needed.
9. Ethical behavior is a top priority of management.
10.I know where I can go if I need to report a potential issue of misconduct.

The ethical baseline should not be totally measured on a point system, nor should the organization be graded based on the survey results. The results should simply be an indicator of the organization’s ethical environment and a tool to identify potential areas of concern. If repeated over time, the baseline can help identify both positive and negative trends. The results of the ethical baseline survey should be discussed by the CFE with management as part of a broader fraud risk assessment project. This is especially important if there are areas with a lack of consensus among the survey respondents. For example, if the answer to a question is split down the middle between strongly agree and strongly disagree, this should be discussed to identify the root cause of the variance. Most questions should be worded to either show strong ethical behaviors or to raise red flags of potential unethical issues or inability to report such issues promptly to the correct level in the organization.

In summary, the additional value created by combining of the results of the traditional fraud risk assessment with an ethical baseline assessment can help CFEs better determine areas of risk and control that should be considered in building the fraud prevention and response plans. For example, fraud risk schemes that are heavily dependent on controls that can be easily overridden by management may require more frequent assurance from prevention professionals than those schemes that are mitigated by system-based controls. And an organization with a weak ethical baseline may require more frequent assessment of detective control procedures than one with a strong ethical baseline, which might rely on broader entity-level controls. By adding ethical climate evaluation to their standard fraud risk assessment procedures, CFEs can tie up what otherwise might be a major loose-end in their risk evaluation.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

A Ship of Fools

Our Chapter’s January-February 2018 lecture for CPE credit is concerned with the broader ethical implications of the types of fraud, many interlocking and coordinated, that made up the 2007-2008 Great Recession.  At the center of the scandal were ethically challenged actions by bank managements and their boards, but also by the investment companies and ratings agencies, who not only initiated much of the fraud and deception but, in many cases, actively expanded and perpetuated it.

Little more than a glance at the historical record confirms that deception by bank executives of regulators and of their own investors about illegal activity or about the institution’s true financial condition to conceal poor performance, poor management, or questionable transactions is not new to the world of U.S. finance. In fact, it was a key practice during the meltdown of the financial markets in 2007. In addition, the period saw heated debate about alleged deception by the rating agencies, Standard & Poor’s, Moody’s, and Fitch, of major institutional investors, who depended on the agencies’ valuations of subprime-backed securities in the making of investment decisions. Thus, not only deceptive borrowers and unscrupulous mortgage brokers and appraisers contributed to the meltdown. The maelstrom of lies and deception that drove the entire U.S. financial system in mid to late 2005 accelerated to the point of no return, and the crisis that ensued proved unavoidable.

There were ample instances of bank deception in the years leading up to the Great Depression of the 1930’s. The facts came out with considerable drama and fanfare through the work of the era’s Pecora Commission. However, the breadth and scope of executive deception that came under the legal and regulatory microscope following the financial market collapse of 2007 to 2009 represent some of history’s most brazen cases of concealment of irresponsible lending practices, fraudulent underwriting, shady financial transactions, and intentionally false statements to investors, federal regulators, and investigators.

According to the ACFE and other analysts, the lion’s share of direct blame for the meltdown lies with top executives of the major banks, investment firms, and rating agencies. They charge the commercial bank bosses with perpetuating a boom in reckless mortgage lending and the investment bankers with essentially tricking institutional investors into buying the exotic derivative securities backed by the millions and millions of toxic mortgages sold off by the mortgage lenders. The commercial bank bosses and investment bankers were, according to these observers, aided and abetted by the rating agencies, which lowered their rating standards on high-risk mortgage-backed securities that should never have received investment-grade ratings but did so because the rating agencies were paid by the very investment banks which issued the bonds. The agencies reportedly feared losing business if they gave poor ratings to the securities.

As many CFEs know, fraud is always the principal credit risk of any nonprime mortgage lending operation. It’s impossible in practice to detect fraud without reviewing a sample of the loan files. Paper loan files are bulky, so they are photographed, and the images are stored on computer tapes. Unfortunately, most investors (the large commercial and investment banks that purchased non-prime loans and pooled them to create financial derivatives) didn’t review the loan files before purchasing them and did not even require the original lenders to provide them with the loan tapes requisite for subsequent review and audit.

The rating agencies also never reviewed samples of loan files before giving AAA ratings to nonprime mortgage financial derivatives. The “AAA’ rating is supposed to indicate that there is virtually no credit risk, the risk being thought equivalent to U.S. government bonds, which the finance industry refers to as “risk-free.”  The rating agencies attained their lucrative profits because they gave AAA ratings to nonprime financial derivatives exposed to staggering default risk. A graph of their profits in this era rises like a stairway to the stars. Turning a blind eye to the mortgage fraud epidemic was the only way the rating agencies could hope to attain, and sustain, those profit levels. If they had engaged forensic accountants to review even small samples of nonprime loans, they would have been confronted with only two real choices: (1) rating them as toxic waste, which would have made it impossible to sell the associated nonprime financial derivatives or (2) documenting that they themselves were committing, aiding and abetting, a blatant accounting fraud.

A statement made during the 2008 House of Representatives hearings on the topic of the rating agencies’ role in the crisis represents an apt summary of how the financial and government communities viewed the actions and attitudes of the three rating agencies in the years leading up to the subprime crisis. An S&P employee, testified that “the rating agencies continue to create an even bigger monster, the CDO [collateralized debt obligation] market. Let’s hope we all are wealthy and retired by the time this house of cards falters.”

With respect to bank executives, the examples of proved and alleged deception during the period are so numerous as to almost defy belief. Among the most noteworthy are:

–The SEC investigated Citigroup as to whether it misled investors by failing to disclose critical details about the troubled mortgage assets it was holding as the financial markets began to collapse in 2007. The investigation came only after some of the mortgage-related securities being held by Citigroup were downgraded by an independent rating agency. Shortly thereafter, Citigroup announced quarterly losses of around $10 billion on its subprime-mortgage holdings, an astounding amount that directly contributed to the resignation of then CEO, Charles Prince;

–The SEC conducted similar investigations into Bank of America, now-defunct Lehman Brothers, and Merrill Lynch (now a part of Bank of America);

–The SEC filed civil fraud charges against Angelo Mozilo, cofounder and former CEO of Countrywide Financial Corp. In the highest-profile government legal action against a chief executive related to the financial crisis, the SEC charged Mozilo with insider trading and alleged failure to disclose material information to shareholders, according to people familiar with the matter. Mozilo sold $130 million of Countrywide stock in the first half of 2007 under an executive sales plan, according to government filings.

As the ACFE points out, every financial services company has its own unique internal structure and management policies. Some are more effective than others in reducing the risk of management-level fraud. The best anti-fraud controls are those designed to reduce the risk of a specific type of fraud threatening the organization.  Designing effective anti-fraud controls depends directly on accurate assessment of those risks. How, after all, can management or the board be expected to design and implement effective controls if it is unclear about which frauds are most threatening? That’s why a fraud risk assessment (FRA) is essential to any anti-fraud Program; an essential exercise designed to determine the specific types of fraud to which your client organization is most vulnerable within the context of its existing anti-fraud controls. This enables management to design, customize, and implement the best controls to minimize fraud risk throughout the organization.  Again, according to the ACFE (joined by the Institute of Internal Auditors, and the American Institute of Certified Public Accountants), an organization’s contracted CFEs backed by its own internal audit team can play a direct role in this all-important effort.

Your client’s internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and review management’s fraud management capabilities periodically. They should interview and communicate regularly with those conducting the organization’s risk assessments, as well as with others in key positions throughout the organization, to help them ensure that all fraud risks have been considered appropriately. When performing proactive fraud risk assessment engagements, CFEs should direct adequate time and attention to evaluating the design and operation of internal controls specifically related to fraud risk management. We should exercise professional skepticism when reviewing activities and be on guard for the tell-tale signs of fraud. Suspected frauds uncovered during an engagement should be treated in accordance with a well-designed response plan consistent with professional and legal standards.

As this month’s lecture recommends, CFEs and forensic accountants can also contribute value by proactively taking a proactive role in support of the organization’s underlying ethical culture.

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.

Raising the Drawbridge

One of our CFE Chapter members has had a request from her employer to assist an internal IT systems development team with fraud prevention controls during the systems development life cycle process of a new, web-based, payment application.  Evaluating and assessing the effectiveness of anti-fraud controls on the front end is much more efficient (and far less costly) than applying them on the back end on an emergency basis during or after a fraud investigation.  Our member asked us for a run down on the typical phases of a systems development project.

First off, in any systems development project the employment of a predefined set of “best practices” is generally viewed as having a positive impact on the overall quality of the system being developed. In the case of the systems development life cycle (SDLC), some generally accepted developmental practices can provide additional benefits to a CFE in terms of his or her proactive, fraud prevention control assessment. Specifically, throughout the eight steps of the SDLC, documentation is routinely created that provides valuable potential sources of control description for review. In other words, just employing generally accepted SDLC practice as prescribed in the CFE’s client’s industry is a powerful fraud prevention control in itself.

The first phase of the SDLC, system planning, is relatively straight-forward.  Executives and others evaluate the effectiveness of the proposed system in terms of meeting the entity’s mission and objectives. This process includes general guidelines for system selection and systems budgeting. Management develops a written long-term plan for the system that is strategic in nature. The plan will most probably change in a few months, but much evidence exists that such front-end planning pays dividends in terms of effective and well controlled IT solutions over the long term. CFEs can think of this phase of the life cycle as like IT governance, and the two are quite compatible. Thus, the first thing the CFE (or any auditor) would like to see is evidence of the implementation of general IT governance activities.  During this phase, several documents are typically generated. They include the long-term plan of development of the specific system within the context of the overall policies for selection of IT projects, and a short-term and long-term budget for the project, as well as a preliminary feasibility study and project authorization. Every project proposal should be documented in writing when originally submitted to management, and a master project schedule should exist that contains all the client’s approved developmental projects.  The presence of these documents illustrates a structured, formal approach to systems development within the client operation and, as such, evidences an effective planning system for IT projects and for systems in general. It also demonstrates a formal procedure for the approval of IT projects.  The CFE should add all the documents for this phase of the project under review to his or her work paper file and gather the same level of documentation for each of the subsequent SDLC cycles.

The systems analysis phase is the second in which IT professionals gather information requirements for the project. Facts and samples to be used in the IT project are gathered primarily from end users. A systems analyst or developer then processes the requirements, and produces a document that summarizes the analysis of the project.  The result is usually a systems analysis report. The systems analysis phase and its report should illustrate to the CFE the entity’s ability to be thorough in the application of its systems development process.

Phase three is the conceptual design phase. In phase two systems analysis, the requirements have been gathered and analyzed. Up to this point, the project is on paper and each of the future systems user groups will have a slightly different view of what it is and will be; this is totally normal and to be expected. At this point, a conceptual design view is developed that encompasses all the individual views. Although, a variety of possible documents could be among the total output of this phase, a data flow diagram (DFD), developed at a general level, is always the final, principal product of this phase.  For the CFE, the general DFD is evidence that the client is acting in accordance with a generally accepted SDLC framework.

Next comes phase four, systems evaluation and selection. Managers and IT staff choose among alternatives that satisfy the requirements developed in phases two and three, and meet the general guidelines and strategic policies of phase one. Part of the analysis of alternatives is to do a more exhaustive and detailed feasibility study, actually, several types of feasibility studies. A technical feasibility study examines whether the current IT infrastructure makes it feasible to implement a specific alternative. A legal feasibility study examines any legal ramifications of each alternative. An operational feasibility study determines if the current business processes, procedures and skills of employees are adequate to successfully implement the specific alternative. Last, a scheduling feasibility study relates to the firm’s ability to meet the proposed schedule for each alternative. Each of these should be combined into to a written feasibility report.

At the beginning of detail design, phase five, IT professionals have chosen the IT solution. The DFD design created in phase three is “fleshed out”; that is, details are developed and (hopefully) documented. Examples of some of the types of documentation that might be created include use cases, Unified Modeling Language (UML) diagrams, entity relationship diagrams (ERDs), relational models and normalized data diagrams.  IT professionals often do a walk-through of the software or system at this point to see if any defects in the system can be detected during development. The results of the walk-through should also be documented. To summarize this phase, a detailed design report should be written to explain the steps and procedures taken. It would also include the design documents referred to previously.

Phase six, programming and testing, includes current best practices like the use of object-oriented programs and procedures. No element of the SDLC is more important for CFEs than systems testing. Perhaps none of the phases has been more criticized than testing for being absent or performed at a substandard level. Sometimes management will try to reduce the costs of an IT project by cutting out or reducing the testing. Sound testing includes several key factors. The testing should be done offline before being implemented online. Individual modules should be tested, but even if a module passes the test, it should be tested in the enterprise system offline before being employed. That is, the modules should be tested as stand-alone and then, in conjunction with other applications, tested system wide. Test data and results should be kept, and end users should be involved in the testing.

Phase seven, implementation, represents system deployment.  The last step before deployment is a user acceptance sign-off. No system should be deployed without this acceptance. The user acceptance report should be included in the documentation. After deployment, however, the SDLC processes are not finished. One key step after implementation is to conduct a postimplementation review. This reviews the cost-benefit report, traces actual costs and benefits, and sees how accurate the projections were and if the project produces an adequate return.

The last and eighth phase is system maintenance.  The ACFE tells us that 80 percent of the costs and time spent on a software system, over its life cycle, occur after implementation. It is precisely for this reason that all of the previously mentioned SDLC documentation should be required. Obviously, the entity can leverage the 80 percent cost by providing excellent documentation. That is the place for the largest cost savings over the life of the system. It is also the argument against cutting corners during development by not documenting developmental steps and the system itself.

I’ll conclude by saying that by proactively consulting on fraud prevention controls and techniques during the SDLC, CFEs can verify that SDLC best practices are operating effectively by examining documentation to identify those major fraud related issues that should be addressed during the various phases. Of course, CFEs would certainly use other means of verification, such as inquiry and checklists as well, but the presence of proper SDLC documentation illustrates the level of application of the best practices in SDLC. Finally, a review of a sample of the documents will provide evidence that the entity is using SDLC best practices, which provides some assurance that systems are being developed efficiently and effectively so as to help raise the drawbridge on fraud.

Bring Your Own Device – Revisited

BYODI was part of a lively discussion the other night at the monthly dinner meeting of one of the professional organizations I belong to between representatives of the two sides of the bring-your-own device (now expanded into bring your own technology!) debate.  And I must say that both sides presented a strong case with equally broad implications for the fraud prevention programs of their various employing organizations.

As I’m sure a majority of the readers of this blog are well aware, the bring-your-own device (BYOD) trend of enabling and empowering employees to bring their own devices (e.g., laptop, smartphones, tablets) evolved some time ago into ‘bring your own technology’ including office applications (e.g., word processing), authorized software (e.g., data analytics tools), operating systems, and other proprietary or open-source IT tools (e.g., software development kits, public cloud, communication aids) into the workplace.

On the pro side of the discussion at our table, it was pointed out that BYOD contributes to the creation of happier employees.  This is because many employees prefer to use their own devices over the often budget-dominated, basic devices offered by their company. Employees may also prefer to reduce the number of devices they carry while traveling; before BYOD, traveling employees would carry multiples of their personal and company provided devices (i.e., two mobile phones/smartphones, two laptops and so forth).

I myself must confess that I brought a personal laptop to work every day for years because it contained powerful investigative support software too expensive for my employer to provide at the time and because a vision problem made it difficult for me to use my desktop. I used my laptop almost daily although it was never connected to the corporate network, making it necessary for me to inconveniently move back and forth between the two devices.

Our bring-your-own device advocates then went on to say that implementation of a BYOD program can additionally result in a substantial financial savings to IS budgets because employees can use devices and other IS components they already possess. The savings include those made on the cost of purchase of devices by management for employees, on the on-going maintenance of these devices and on data plans (for voice and data services). These savings can then be utilized by the company to enhance its operating margins or to even offer more employee benefits.

Another of the BYOD advocates, employed in the IS division of her company, pointed out that her division was freed by the BYOD program from a myriad of tasks such as desktop support, trouble shooting and end-user hardware maintenance activities. She too agreed that, in her opinion, this saving could be best utilized by the IS division to optimize its budget and resources.  She also pointed out that the popularity of BYODT is due, in part, to the fact that, in her experience, employees, like herself, adopt technology well before their employers and subsequently bring these enhancements to work. Thus, BYOD results in faster adoption of new technologies, which can also be an enabler for employees to be more productive or creative; a competitive advantage for their entire business.  In addition, her right hand table companion made the argument that employees can use their own, familiar device to complete their tasks more efficiently as it gives them the flexibility to quickly customize their device or technology to run faster as per their individual requirements. By contrast, in the case of company-provided devices and technology, such tailoring and customization is often time-consuming as individual employees have to provide proper cost justifications and then seek authorization through cumbersome and time consuming change requests.

On the con side, the internal auditor at our table pointed out that by allowing employees to BYOD, the employers implementing the program have opened a new nightmare for their security managers and administrators and, hence, for their fraud prevention programs. The security governance framework and related corporate security and fraud prevention policies will need to be redefined and a great deal of effort will be required to make each policy efficiently operational and streamlined in the BYOD environment.

Of course, I then had to chime in and offer my two-cents worth that concerns related to privacy and data protection could be perhaps the biggest challenge for BYOD. In industries like health care and insurance that deal with sensitive and confidential data under strict Federal and State guideline such concerns would have to hinder any rollout of BYOD. Such enterprises will be compelled by law to tread cautiously with this trend. With BYODT organizational control over data is blurred. Objections are also always raised when business and private data exist on the same device. Thus, this could certainly interfere with meeting the stringent controls mandated by certain regulatory compliance requirements.

Then our auditor friend pointed out that applications and tools may not be uniform on all devices, which can result in incompatibility when trying to, for example, connect to the corporate network or access a Word file created by another employee who has purchased a newer version.  And what about a lack of consensus among employees; some may not be willing or able to use their personal devices or software for company work.

After listening to (and participating in) the excellent arguments on both sides of the supper table, might I suggest that, the still developing trend and the very real benefits realized from BYOD suggest that the valid concerns (which this blog has certainly raised in the past) might best be considered as normal business challenges and that companies should address BYOD implementation by addressing these challenges. There are certainly steps (as the ACFE has point out) that can be taken to significantly reduce the risk of fraud.

First, establish a well-defined BYOD framework.  This can be done by soliciting input from various business process owners and units of the enterprise regarding how different areas actually use portable gadgets. This helps create a uniform governance strategy. Following are what many consider essential steps for creating a BYOD governance framework:

– -Network access control:

  1. Determine which devices are allowed on the network.
  2. Determine the level of access (e.g., guest, limited, full) that can be granted to these devices.
  3. Define the who, what, where and when of network access.
  4. Determine which groups of employees are allowed to use these devices.

— Device management control:

  1. Inventory authorized and unauthorized devices.
  2. Inventory authorized and unauthorized users.
  3. Ensure continual vulnerability assessment and remediation of the devices connected.
  4. Create mandatory and acceptable endpoint security components (e.g., updated and functional antivirus software, updated security patch, level of browser security settings) to be present on these devices.

— Application security management control:

  1. Determine which operating systems and versions are allowed on the network.
  2. Determine which applications are mandatory (or prohibited) for each device.
  3. Control enterprise application access on a need-to-know basis.
  4. Educate employees about the BYOD policy.

Create a BYOD policy.  Make sure there is a clearly defined policy for BYOD that outlines the rules of engagement and states the company’s expectations. The policy should also state and define minimum security requirements and may even mandate company-sanctioned security tools as a condition for allowing personal devices to connect to company data and network resources.  As far as security polices over BYOD go, such requirements should be addressed by having the IT staff provide detailed security requirements for each type of personal device that is used in the workplace and connected to the corporate network.

So, BYOD provides numerous benefits to the business, the key ones being reducing the IT budget and the IT department’s workload, faster adaptation to newer technology, and making employees happier by giving them flexibility to use and customize their devices to enhance efficiency at work. Of course, various challenges come along with these advantages: increased security measures, more stringent controls for privacy and data protection, and other regulatory compliance. These challenges provide a fundamentally new opportunity for innovation, redefining the governance structure and adoption of underlying technology.  CFE’s can add value to this entire challenge by on-going review of the overall corporate approach to BYODT for its impact on the fraud risk assessment and overall fraud prevention program.

From the Head Down

fishThe ACFE tells us that failures in governance are among the most prominent reasons why financial and other types of serious fraud occur.  Often the real cause of major corporate scandals and failures detailed in the financial trade press is a series of unwelcome behaviors in the corporate leadership culture: greed, hubris, bullying, and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons; so, that old saying remains true, fish rot from the head down.

CFE’s find themselves being increasingly called upon by corporate boards and upper operating management to assist as members of independent, control assurance teams reviewing governance related fraud risk. In such cases, where a board has decided to engage a third party, such as a consulting firm or law firm, to assess the risk associated with certain governance processes and practices, a CFE member of the team can ensure that the scope of work is sufficient to cover the risk of fraud, that the team’s review process is adequate, and that the individuals involved can provide a quality assessment.  Thus, if the CFE has suggestions to make concerning any fraud related aspect of the engagement, these can be shared with the review team as a whole.

As the fraud expert on a review team identifying governance related risks, the ACFE recommends that the CFE keep an open mind. Even the best boards, with the most experienced and competent directors, can fail. Examples of red flag, fraud related governance risks to consider include:

–Organizational strategies are approved and performance monitored by executives and the board without reliable, current, timely, and useful information;
–There is too great a focus on short-term results without sufficient attention to the organization’s long-term strategy;
–Oversight by the board is limited by a lack of directors with the required business, industry, technical, IT, or other experience;
–The board’s dynamics do not include sufficient challenge and skeptical inquiry by independent directors;
–Oversight by the audit committee is limited by a lack of experience in financial reporting and auditing;
–There have been instances in the past of the external auditors having failed to detect material misstatements because part of their team lacked the necessary industry experience and understanding of relevant accounting standards;
–Board oversight of risk management is constrained by a lack of risk management experience;
–Strategies approved by the board are not linked to individual goals and objectives of managers in operating departments or over key business processes;
–IT priorities are not consistent with business and organizational priorities due to a lack of communication and alignment of goals and incentive programs;
–Employees do not understand the corporate code of business conduct because it has not been clearly communicated and/or explained to them.

Once the team has identified and assessed the principal governance-related risks, the first step is to determine how to address them. The review team should take each in turn and determine the best approach. Several options might be considered. Using generally accepted traditional control approaches, many governance-related risk areas (such as awareness of the corporate code of conduct, alignment of management incentive plans and organizational strategies, or the quality of information used by the executive leadership team and the board) can be addressed without too much difficulty.

Next, the CFE needs to consider which fraud risks to recommend to the team for periodic re-assessment in recurring risk assessment plans. It’s not necessary or appropriate to periodically assess every identified governance-related fraud risk, only those that represent the most significant on-going risk to the success of the organization and its achievement of its overall fraud prevention objectives.

In a relatively mature organization, the most valuable role for the CFE team member is likely to be that of providing assurance that governance policies and practices are appropriate to the organization’s fraud risk control and management needs – including compliance with applicable laws and regulations – and that they are operating effectively.  On the other hand, if the organization is still refining its governance processes, the CFE may contribute more effectively to the governance review team in an anti-fraud consulting capacity advising or advocating improvements to enhance the evolving fraud prevention component of the organization’s governance structure and practices.

Within the context of the CFE’s traditional practice, there will be times when the board or general counsel (which has so often historically directly engaged the services of CFEs) wants the assessment of a particular governance fraud risk area to be performed by the in-house counsel.  In such instances, the CFE can directly partner with the in-house staff, forming a relationship alternative to performance as a review team member with another type of assurance provider or outside consultant.  This arrangement can offer significant advantages, including:

–Ensuring that the CFE has the benefit of the in-house legal team’s subject-matter expertise as well as knowledge of the company;
–Allow more CFE control over the scope of work, the way the engagement is performed, the conclusions drawn, and over the final report itself; for example, some CFE’s might feel more confident about expressing an opinion on whether the fraud risk under review is managed effectively by the board with in-house counsel support.

A risk-based fraud prevention plan is probably not complete unless it includes consideration of the risks inherent in the organization’s governance processes. Selecting which areas of governance to review should be based on the assessed level of risk, determined with input from management and (in all likelihood) the board itself. Different governance risk areas with fraud impact potential may merit different CFE involved review strategies, but, whatever approach is taken, careful planning is always a must.

Reviews of fraud risk related to corporate governance are never easy, and they often carry political risk. However, they are clearly important and should be given strong consideration as a component of every fraud prevention effort – not just because they are required by professional assurance standards, but because governance process failures can contribute so devastatingly to financial frauds of all kinds.

Financing in the Dark

money-laundering_1A reader of our last blog post on risk assessment, a CFE employed as an internal auditor by a large overseas financial services firm, has been asked, (in light of the Panama Papers), and as a member of an evaluation team, to perform a review of the controls comprising his company’s anti-money laundering program.  I thought his various questions about ACFE guidance on money laundering might furnish interesting matter for a blog post.  The ACFE has long identified money laundering, including terrorist financing, as a global problem.

Due to government concerns globally, laws have been enacted in countries such as the United States (the Bank Secrecy Act (BSA), Canada (Proceeds of Crime, Money Laundering and Terrorist Financing Act), and Australia (Anti-Money Laundering and Counter-Terrorism Financing Act, 2006) to combat money laundering and financing of terrorist activities. Such legislation embodies recommendations from the Financial Action Task Force (FATF), a Paris-based intergovernmental body formed in 1989 by the Group of Seven industrialized nations. As a result, financial institutions in many countries have taken initiatives to implement appropriate policies and infrastructure for ensuring compliance with applicable money laundering requirements and practices. One such step has been to implement anti -money laundering/ counter-terrorist financing programs based on FATF recommendations.  Our reader’s company is to be commended for undertaking the review since independent testing by knowledgeable assurance professionals (including CFE’s) is a critical component in ensuring existing anti-money laundering programs remain robust and fully aligned with regulatory requirements. The testing of these programs should be cohesive and integrated and include a well-defined strategy that takes a risk-based, enterprise wide perspective.

According to the ACFE, an effective anti-money laundering program includes:

–Appointment of a senior officer responsible for ensuring risks are understood, addressed, and mitigated enterprise-wide;
–Development of formal policies, procedures, and controls that are aligned with Federal and local regulations;
–Implementation of a risk-based approach for identifying risks by client, geography, product, and delivery channels;
–Implementation of a program of dynamic rules-based transaction monitoring for purposes of identifying and reporting suspicious activities;
–Implementation of training programs customized to specific functions and activities;
–Independent, periodic testing of the program.

The ACFE stresses that to be successful it’s necessary that the review team understand the organization’s products and delivery channels as well as its types of clients and their geographic location(s). It’s also necessary to understand the company’s organizational structure, infrastructure, policies, procedures, and controls for mitigating money laundering and terrorist financing risks. Also as part of the audit strategy, auditors should list all anti-money laundering regulatory requirements in the countries in which the organization does business. Once these components are clearly defined and understood, a risk profile can be developed (using the interviewing strategy featured in our last post) to ascertain risk levels and enable the creation of appropriate audit programs, staffing, and overall management of the review assignment. Needless to say, the audit strategy should always be formally approved by the organization’s chief audit executive.

The temptation to use boilerplate or template audit programs should be minimized by the development of tailored audit programs fitted to the specific nature of the business process being audited. One of the biggest challenges in developing such audit programs for money laundering is determining appropriate sampling methodologies for performing the required testing and validation. Inappropriate sampling will lead to incorrect and unsupportable conclusions. Sampling criteria and attributes must be defined clearly and be consistent with audit objectives. Once again, the audit manager should approve the sampling methodology before execution.

Our reader’s audit team will need to verify compliance with local regulations, which is not an easy task due to the high transaction volumes characteristic of industries like his. However, in most financial organizations, transaction-based processes must be automated to work and queries can be developed to create exception reports where deviations from expected outcomes exist. Out reader asked for examples of such automated exception reports and some common ones recommended by the ACFE are:

–Cash deposits of US $10,000 or greater where the required regulatory reporting has not been completed. (This threshold applies to Canada and the United States and may vary in other countries);
–Transactions with countries where trade sanctions exist;
–Industry codes listing clients in high risk industries to assess the level of enhanced due diligence performed;
–List of employees who have not completed required anti-money laundering training;
–List of clients with Post Office box addresses;
–List of clients with missing Taxpayer Identification Numbers;
–List of wire transfers from accounts owned by governments into accounts of private investment companies and politically exposed persons;
–Validating that “know your client” and customer identification requirements are compliant with local regulatory requirements;
–Validating that enhanced due diligence is performed on high-risk businesses.

Business culture has traditionally revolved around management of risks relative to sales, markets, economic trends, and reputation. Only relatively recently has regulatory risk as it relates to money laundering requirements received more intense scrutiny. Regulators have adopted a zero tolerance position, as evidenced by penalties against financial institutions for noncompliance with the ever growing body of legislation.  Financial institutions like our reader’s are considered an integral defense in the fight against money laundering and terrorist financing. It’s thus imperative that these organizations implement effective independent testing programs to assess the quality of controls relative to their anti-money laundering programs.  Sound independent testing by assurance professionals who have in-depth knowledge of fraud and regulation, as well as of risks, controls, and business processes in general is considered a key control within any organization. Fraud risk assessment review work of the anti-money launder business process provides management with the necessary intelligence for proactively managing deficiencies and ensuring that a well-aligned top-to-bottom control environment with appropriate resources and infrastructure is in place for mitigating money laundering risk.

Because fraudsters and criminals are creative and money laundering methods and techniques change constantly in response to evolving countermeasures, a useful reference for CFE’s and for auditors of all kinds is always the ACFE which provides live seminars and on-line training insights into emerging money laundering related threats as well as on-going suggestions for new areas for investigation and testing.

The Straight Scoop on Risk

risk-assessmentAny practicing auditor will tell you that information requests, getting the information needed to perform an audit or review, can be one of the most frustrating aspects of any audit work and the information requests involved with fraud risk assessments are no exception.  To successfully complete his or her assessment the CFE must develop a thorough understanding of the client’s overall system of internal control, with special emphasis on those controls over financial transactions that reduce or mitigate fraud risk.  Information requests usually signal the transition from planning to fieldwork for the CFE. How the request for that information is made sets the tone for the assessment, and can help or hurt the CFE-to-client relationship. It can also positively or negatively impact the overall achievement of review objectives, so it’s important to spend the time to get this step right.

It’s been my experience that reviewers new to CFE practice tend to compile their requests for information hastily under the assumption that the sooner they request the information; the sooner they’ll get the reply. However, as we’ve all experienced, information requests can get lost, forgotten, or ignored, and weeks can go by with no response.  Since CFE’s aren’t generally easily deterred, the problem is typically addressed by sending follow-up emails, leaving voice mails, and, as a last resort, knocking on the CFO’s office door in an attempt to get all the requested information prior to the start of serious fieldwork. And the initial request is only the beginning. During some reviews, information requests seem to never end. If the first request was for a list of key customers, a second request for invoicing procedures soon follows and the whole request process starts all over again moving like an arrow straight on through to the end of the assessment.

An alternative way around all this requires a little more work on the front-end but organizes requests so that they are received by the target data source quicker, questions are answered faster, and the CFE builds a stronger relationship with the client.  This is done by scheduling a formal, face to face meeting with the provider of the target information in his or her office immediately following the entrance conference with the CEO, corporate counsel or audit committee who engaged the CFE. The CFE should ask for and receive permission from the CEO before any information is requested from subordinate staff.  The upper management sanctioned meeting with targeted business process expert staff (say the CFO or Chief Information Systems Officer-CIFO) takes place prior to any formal information request being submitted in writing.

Meeting with the targeted business process staff in this way has many benefits and, in my experience, is well worth the time. In addition to supporting a general discussion about what information is available, it’s often possible to obtain some of the requested items themselves during the face-to-face.  I’ve often been directed to the information I want on the company databases simply by directly asking the CIFO for it.  Such meetings are invaluable to the CFE since they provide an opportunity to improve her knowledge of the business and strengthen her relationship with business process owners.  This approach doesn’t excuse CFE’s from doing all he or she can beforehand to develop as much understanding as possible of what items of information they would like to request during the meeting; this is because it’s common to learn something new about the control system of a business process in a meeting with a process expert that makes some aspect of the original request irrelevant. The best way to avoid this is to have developed a solid overview of the fraud risk assessment process, its steps and objectives, so the CFE can quickly regroup and make a new request that better satisfies the complete, overall assessment objective.

During the meeting(s) with individual process owners the CFE should provide a brief overview of the assessment and its objective(s); this will help communicate the reason for the specific information requests. Through an easy give and take the CFE can explore with the process expert where the requested information is housed and how it might best be accessed. A benefit of this approach is that all clients appreciate having the assessment objectives and requests explained to them in person. They are more willing to provide the documentation and answer the inevitable follow-up questions that arise later because they have a clear understanding of what is needed and why.  If, during the discussion with the process expert, the reviewer realizes a change needs to be made to a request, it can be addressed in real time. This also saves the CFE from having to send an embarrassing email apologizing because he or she inadvertently requested the wrong information.

Following discussion of all the requests, the CFE should consider wrapping up the meeting by asking a few questions about how the business is doing, if any new initiatives are being undertaken, if that new financial system software is meeting expectations, etc. Anything learned about the business will improve the CFE’s ability to make fraud prevention recommendations and may identify other areas of fraud vulnerability to look into at a later time.  Working to obtain this useful control related information is much easier face-to-face than over the phone or via email.

After the meetings with the client’s business process expects are finished, the CFE and his or her team (if any) will be able to start testing immediately because most of the requested documentation has been obtained or its location identified. Another benefit to this approach is efficiency, because it can significantly reduce the time spent waiting and following up with the business process owner. It also allows the CFE to use his or her time effectively.

It is much better to spend one hour with the client up front than to spend an hour each of the following three weeks sending follow-up emails.  The best-case scenario is that the CFE walks out of the meeting with all the information requested in hand or its location identified and ready to start reviewing and testing. The worst-case scenario is that the CFE leaves the meeting without the requested information, but now knows where the supporting documentation is located and can pull the information him or herself. Regardless of the outcome, the auditor has spent time building a stronger relationship with the client’s business process owners and may have received some valuable information related to that department or business process that could never have been obtained through a seemingly endless email drive.

Global Storm Clouds Rising

TankThe recent turbulence in the global financial markets is raising the by now too familiar questions in the trade press.  Who is managing the risk? Where is the oversight? Could this financial turmoil have been avoided if associated risks had been managed more proactively? Manage has a positive connotation, implying that someone is in control, as in “The governor is managing the coastal flooding event.” Risk has a negative connotation, implying a lack of control, as in “An unattended gun puts lives at risk.” Risk is everywhere and can be an opportunity or a threat. Although an effective risk management system cannot provide absolute assurance that events such as the current unsettled market situation will not occur, it can, as the least, lend confidence that the key risks will be identified and dealt with timely.

As a first step, understanding the structure and dimensions of ideal risk management can support common understanding and effective implementation by management and an adequate fraud risk assessment effort by CFE’s and other assurance professionals. Management must understand the key vulnerabilities to the business model and establish risk expectations, which can then be incorporated into business practices. Likewise, CFE’s must understand and consider the context of those expectations in their periodic fraud risk assessments. A thorough management understanding of fraud risk also improves the quality of any subsequent investigation of financial irregularities as it creates a standard against which to compare management’s due diligence efforts. Although it may be difficult for your individual clients to identify ideal standards for risk management, addressing some fundamentals can help frame those ideals.

Regulatory, market, and fraud risks are common and familiar to CFE’s, who’re used to identifying these external events and asking “What if” questions: What if this process is not in compliance? What if a fraud were to occur as a result? Inside counsel and auditors often encourage management to address these types of risks immediately, which can result in operational silos dedicated to addressing a single significant fraud risk. However, these single events are only part of the picture. What about process efficiency risk, process design risk, system implementation risk, data integrity risk, skill-set risk, and the myriad other internal risks that, from the CFE’s informed perspective impact operations and fraud prevention?  In the end, a risk is only important if it affects achievement of strategic and business objectives. Both external and internal risks can be placed in the context of their impact on business objectives. The strategic and objective framework must be defined and understood if an organization is to gauge the impact of the risks confronting it. The simplest way to define this framework is to start with the strategy and identify who is accountable for its parts. The framework is further defined as interviews with senior management reveal its objectives and accountability. The process continues until the framework has been constructively defined down to a relevant level for any external or internal risk. The relevance is determined based on the fraud risk’s ability to impact key elements of the framework. The framework provides a formal structure for ensuring strategic achievement.

Fraud risk management requires adequate identification of general risks and an awareness of existing vulnerabilities. Failure to do so can have dire consequences as the ever increasing volume of recent fraud cases attest. A century ago, modern soldiers recognized that good weapons were important to survival. However, realizing the value of tanks and exploding shells was only one element of effective risk management. Another was assessing the quality of the armor tanks carried into battle. No general would order a tank advance, without adequate vehicle armor. An army with limited protection would avoid or delay battles while its vehicles were being adequately fitted. Likewise, as an organization pursues its objectives, it must understand its strengths and vulnerabilities. Organizations cannot charge into daily economic battles without both weapons for success and armor to manage their inherent risks. Historically, assurance professionals have operated in a black-and-white world – a control is either present or absent, effective or ineffective. Although this may work for compliance or financial reporting objectives, it doesn’t help management effectively improve governance, risk management, or overall fraud prevention. Recognizing that business operations mature over time requires critical anti-fraud controls to mature with them. So if operations and controls mature over time, how does an organization organize the current state of affairs to avoid fraud vulnerabilities?

It’s important for fraud prevention to evaluate how effectively current business processes are supporting the achievement of strategic and business objectives. This evaluation will provide insights into the overall maturity of the fraud prevention controls that are in place to manage key risks. If the objective is to attack, yet the process or control maturity shows insufficient strength, it’s likely that the risk appetite of the general exceeds that of his government and country. Risk becomes more manageable with a framework of key risks in the context of key objectives and process/control maturity.

Business process and control vulnerability to fraud can be measured by defining high-level management controls that illustrate what management is doing to achieve its strategic and business objectives. By this point organizations should understand the strategy and objectives and be aware of their people, process, and technology capabilities; but this alone does not provide an overall understanding of fraud control maturity. Because maturity implies sustainability, it’s important to concurrently understand just how capable or strong the systems of control are. One way to begin creating a control maturity perspective is to look at what management is currently doing to ensure it achieves its objectives.

  • Does management have formal fraud prevention objectives that are well-written and communicated?
  • Is accountability clearly established?
  • Have metrics been set to measure the progress of those who are accountable?
  • Is existing reporting capable of illustrating the metric?
  • Are the information and communication channels adequate?
  • Does the tone at the top champion ethical behavior?

Frank answers to these types of simple questions help determine whether the CFE’s client organization is closer to the top, middle, or low levels of management fraud control maturity. This determination can help the organization identify gaps between its current level of maturity and the desired level so that actions can be prioritized to address the largest gaps. The answers to these questions can also help determine how formally objective achievement is being managed. They also provide a window into process capabilities and indicate the degree to which these capabilities are aligned with objective achievement. Informal alignment can create vulnerabilities. Management fraud control maturity is by no means the ultimate tool, but it provides a bridge in assessing risk management vulnerabilities.

All CFE’s have a role in educating senior management and the board (if there is one) about effective fraud risk management and irregularity prevention. Risk management means many things to almost everyone, yet communicating a few basic principles to clients will help CFE’s not only be successful but will provide the foundation for a program of robust fraud risk assessment. These principles help define a framework for valuing risk, assessing vulnerabilities, and determining the necessary steps for improving management fraud control maturity. Taken together, they can help any client organization improve the management of its overall risk and fraud prevention program.