Tag Archives: Fraud Reporting

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm  the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely  get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

A Blueprint for Fraud Risk Assessment

It appears that several of our Chapter members have been requested these last few months to assist their employers in conducting several types of fraud risk assessments. They usually do so as the Certified Fraud Examiner (CFE) member of their employing company’s internal audit-lead assessment team.   There is a consensus emerging among anti-fraud experts that conducting a fraud risk assessment (FRA) is critical to the process of detecting, and ultimately designing controls to prevent the ever-evolving types of fraud threatening organizations.

The ACFE tells us that FRAs do not necessarily specify what types of fraud are occurring in an organization. Instead, they are designed to focus detection efforts on specific fraud schemes and scenarios that could occur as well as on incidents that are known to have occurred in the past. Once these are identified, the audit team can proceed with the series of basic and specific fraud detection exercises that broad experience has shown to be effective. The objective of these exercises is to hopefully reveal the specific fraud schemes to which the organization is most exposed. This information will enable the organization’s audit team to recommend to management and to support the implementation of antifraud controls designed to address exactly those risks that have been identified.  It’s important to emphasize that fraud risk assessments are not meant to prevent fraud directly in and of themselves. They are exercises for identifying those specific fraud schemes and scenarios to which an organization is most vulnerable. That information is in turn used to conduct fraud audit exercises to highlight the circumstances that have allowed actual, known past frauds to occur or to blueprint future frauds that could occur so that the necessary controls can be put in place to prevent similar future illegal activity.

In the past, those FRAs that were conducted were usually performed by the firm’s external auditors. Increasingly, however, internal audit departments are being pressured by senior management to conduct FRAs of their own. Since internal audit departments are increasingly employing CFEs or have their expertise available to them through other company departments (like loss prevention or security), this effort can be effective since internal auditors have the tenure and experience with their organizations to know better than anyone how its financial and business operations function and can understand more readily how fraud could occur in particular processes, transactions, and business cycles.

Internal audit employed CFE’s and CIA’s aren’t involved by requirement of their professional standards in daily operations and can, therefore, provide an independent check on their organization’s overall risk management process. Audits can be considered a second channel of information on how well the enterprise’s anti-fraud controls are functioning and whether there are any deficiencies that need to be corrected.  To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or to the board of directors and not to the chief executive officer or company president who may have responsibility for her company’s internal controls.

The Institute of Internal Auditors has endorsed audit standards that outline the techniques and procedures for conducting an FRA, specifically those contained in Statement of Auditing Standards 99 (SAS 99). By this (and other) key guidelines, an FRA is meant to assist auditors and/or fraud examiners in adjusting their audit and investigation plans to focus on gathering evidence of potential fraud schemes and scenarios identified by the FRA.

Responding to FRA findings requires the auditor to adjust the timing, nature, and extent of testing in such ways as:

• Performing procedures at physical locations on a surprise or unannounced basis by, for example, counting cash at different subsidiary locations on a surprise basis or reviewing loan portfolios of random loan officers or divisions of a savings and loan on a surprise basis;
• Requesting that financial performance data be evaluated at the end of the reporting period or on a date closer to period-end, in order, for example, to minimize the risk of manipulation of records in the period between the dates of account closings and the end of the reporting period;
• Making oral inquiries of major customers and vendors in addition to sending written confirmations, or sending confirmation requests to a specific party within vendor or customer organization;
• Performing substantive analytical procedures using disaggregated data by, for example, comparing gross profit or operating margins by branch office, type of service, line of business, or month to auditor-developed expectations;
• Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified in the past (such as at the country or regional level) to obtain their insights about the risk and how controls could address the risk.

CFE team members can make a substantial contribution to the internal audit lead team effort since it’s essential that financial operations managers and internal audit professionals understand how to conduct an FRA and to thoroughly assess the organization’s exposure to specific frauds. That contribution can add value to management’s eventual formulation and implementation of specific, customized controls designed to mitigate each type of fraud risk identified in the FRA. These are the measures that go beyond the basic, essential control checklists followed by many external auditors; they optimize the organization’s defenses against these risks. As such, they must vary from organization to organization, in accordance with the particular processes and procedures that are identified as vulnerable to fraud.

As an example, company A may process invoices in such a tightly controlled way, with double or triple approvals of new vendors, manual review of all invoices, and so on, that an FRA reveals few if any areas where red flags of vendor fraud can be identified. Company B, on the other hand, may process invoices simply by having the appropriate department head review and approve them. In the latter case, an FRA would raise red flags of potential fraud that could occur through double billing, sham company schemes, or collusion between a dishonest vendor and a company insider. For that reason, SAS 99 indicates that some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls, and other procedures that are needed to mitigate the identified risks. Effective internal controls will include a well-developed control environment, an effective and secure information system, and appropriate control and monitoring activities. Because of the importance of information technology in supporting operations and the processing of transactions, management also needs to implement and maintain appropriate controls, whether automated or manual, over computer generated information.

The ACFE tells us that the heart of an effective internal controls system and the effectiveness of an anti-fraud program are contingent on an effective risk management assessment.  Although conducting an FRA is not terribly difficult, it does require careful planning and methodical execution. The structure and culture of the organization dictate how the FRA is formulated. In general, however, there is a basic, generally accepted form of the FRA that the audit and fraud prevention communities have agreed on and about which every experienced CFE is expected to be knowledgeable. Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s reputation and its legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk. An organization can cost-effectively manage its fraud risks by assessing the likelihood and significance of fraudulent behavior.

The FRA team should include a senior internal auditor (or the chief internal auditor, if feasible) and/or an experienced inside or outside certified fraud examiner with substantial experience in conducting FRAs for organizations in the company’s industry.  The management of the internal audit department should prepare a plan for all the assignments to be performed. The audit plan includes the timing and frequency of planned internal audit work. This audit plan is based on a methodical control risk assessment A control risk assessment documents the internal auditor’s understanding of the institution’s significant activities and their associated risks. The management of the internal audit department should establish the principles of the risk assessment methodology in writing and regularly update them to reflect changes to the system of internal control or work process, and to incorporate new lines of business. The risk analysis examines all the entity’s activities, and the complete internal control system. Based on the results of the risk analysis, an audit plan for several years is established, considering the degree of risk inherent in the activities. The plan also considers expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (audit cycle principle for example, three
years). All those concerns will determine the extent, nature and frequency of the assignments to be performed.

In summary…

• A fraud risk assessment is an analysis of an organization’s risks of being victimized by specific types of fraud;
• Approaches to FRAs will differ from organization to organization, but most FRAs focus on identifying fraud risks in six key categories:
— Fraudulent financial reporting;
— Misappropriation of assets;
— Expenditures and liabilities for an improper purpose;
— Revenue and assets obtained by fraud;
— Costs and expenses avoided by fraud;
— Financial misconduct by senior management.
• A properly conducted FRA guides auditors in adjusting their audit plans and testing to focus specifically on gathering evidence of possible fraud;
• The capability to conduct an FRA is essential to effective assessment of the viability of existing anti-fraud controls and to strengthen the organization’s inadequate controls, as identified by the results of the FRA;
• In addition to assessing the types of fraud for which the organization is at risk, the FRA assesses the likelihood that each of those frauds might occur;
• After the FRA and subsequent fraud auditing work is completed, the FRA team should have a good idea of the specific controls needed to minimize the organization’s vulnerability to fraud;
• Auditing for fraud is a critical next step after assessing fraud risks, and this requires auditing for evidence of frauds that may exist according to the red flags identified by the FRA.

Write & Wrong

It’s an adage in the auditing world that examination results that can’t be effectively communicated might as well not exist.  Unlike a financial statement audit report, the CFE’s final report presents a unique challenge because there is no standardized format. Our Chapter receives more general inquiries from new practitioners about the form and content of final examination reports than about almost any other topic.

Each fraud investigation report is different in structure and content, depending on the nature and results of the assignment and the information that needs to be communicated, as well as to whom the results are being directed. To be effective, therefore, the report must communicate the findings in an accurate and concise form. Corporate counsel, law enforcement, juries, an employing attorney and/or the audit committee and management of the victimized organization must all be able to delineate and understand the factual aspects of the fraud as well as the related risks and control deficiencies discovered so that appropriate actions can be taken timely. Thus, the choice of words used and the tone of the CFE’s final report are as important as the information presented within it. To help ensure their reports are persuasive and bring positive results, CFEs should strive to keep them specific, meaningful, actionable, results oriented, and timely.

Because the goal of the final report is to ensure that the user can interpret the results of the investigation or analysis with accuracy and according to the intentions of the fraud examiner or forensic accountant, the report’s tone and structure are paramount. The report should begin by aligning issues and recommendations with applicable ACFE and with any other applicable professional standards and end with results that are clearly written and timely presented. To ensure quality and accuracy, there are some basic guidelines or ground rules that authorities recommend should be considered when putting together a final report that adds value.

The CFE should consider carefully what specifically to communicate in the report, including the conditions, cause, effect, and “why” of each of the significant fraud related facts uncovered.  Fraud investigators should always identify and address issues in a specific context rather than in broad or general terms. For example, stating that the fraud resulted from weaknesses in the collection and processing of vendor payment receipts is too broad. The report should identify the exact circumstances and the related control issues and risk factors identified, the nature of the findings, an analysis of the specific actions constituting the fraud and some discussion (if the CFE has been requested to do so) of possible corrective actions that might be taken.

To force the writing toward more specificity, each paragraph of the report should express only one finding, with major points enumerated, or bulleted, and parallel structure should be used for each itemized statement of a listing of items. Further, the most important findings should be listed in the first sentence of a paragraph. Once findings are delineated, the explanatory narration of facts aligned to each finding should be presented. Being specific means leaving nothing to the
user’s interpretation beyond that which is intended by the writer.  Another way to achieve specificity is to align the writing of the report to an existing control framework like the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) internal control or risk management frameworks. When issues are aligned with existing standards or to a framework, it can be easier for the CFE to explain the weaknesses in the client’s control environment that made the fraud possible.

The question to be answered is: Can the client(s) readily tell what the issues are by reading the investigative report alone? If the answer is “no,” how will they satisfactorily address areas the client will eventually deem important in moving forward toward either remediation or possible prosecution? This aspect of the writing process requires the practitioner to, first, identify to whom the final report is specifically directed and, second, determine what is to be communicated that will add value for the client. For example, the report may a communication to an employing attorney, to corporate counsel, to the client’s management or audit committee or to all three. What are their expectations? Is the report the result of a routine investigation requested by client management of possible accounts payable fraud or a special investigation to address a suspected, specifically identified fraud? The answer to these and related questions will help determine the appropriate technical level and tone for the report.

When there are different readers of the report, the process necessarily becomes more complex under the necessity to meet the expectations, understandings and eventual usages of all the parties. Finding the right words to address the identified fraud related facts in a positive tone, especially when client conditions surrounding the fraud are sometimes sensitive or at least not favorable, is crucial to making the report meaningful as well as persuasive. The investigative findings must be clear and logical. If the reported results are understood and meaningful actions that add value to the position of the various users are taken because of the findings, then the purpose and meaning of the CFE’s report (and work) will be realized.

What about investigative situations in which the CFE or forensic accountant is asked to move beyond a straight-forward presentation of the facts and, as an expert on fraud and on fraud prevention, make recommendations as to corrective actions that the client might take to forestall the future commission of frauds similar to those dealt with in the final report? In such cases (which are quite common, especially with larger clients), the final report should strive to demonstrate to the extent possible the capacity of the entity to implement the recommendations the CFE has included in the report and still maintain an acceptable level of operation.  To this end, the requested recommended actions should be written in a way that conveys to management that implementing the recommendations will strengthen the organization’s overall fraud prevention capability. The writing, as well as the complexity of the corrective action, should position the client organization to implement recommendations to strengthen fraud prevention. The report should begin with the most critical issue and progress to the least important and move from the easiest recommended corrective steps to the most difficult, or to the sequence of steps to implement a recommendation. The cost to correct the fraud vulnerability should be
apparent and easily determined in the written report. Additionally, the report should provide management with a rubric to evaluate the extent to which a deficiency is corrected (e.g., minimally corrected, fully corrected). Such a guide can be used to gauge the fraud prevention related decisions of management and serve as a basis for future fraud risk assessments.

Developing the CFE’s final report is a process that involves four stages: outlining, drafting, revising, and editing. In the outlining stage, the practitioner should gather and organize the information so that, when converted to a report, it is easy for the reader to follow. This entails reviewing the working papers and making a list of the fraud related facts to be addressed and of their related chronologies. These should be discussed with the investigative team (if any) and the
client attorney, if necessary, to ensure that there is a clear understanding of the underlying facts of the case. Any further work or research should be completed at this stage. This process may be simple or complicated, depending on the extent of the investigation, the unit or operation that is under examination, and the number of fraud related facts that must be addressed.

Once all information has been gathered, the next stage is writing the draft of the report. In completing the draft, concise and coherent statements with sufficient detail should enable the reader to understand the chronology and related facts of the fraud, the fraud’s impact on operations, and the proposed corrective actions (if requested by the client). After completing the draft, revisions may be necessary to make sure that the evidence supports the results and is written in a specific context.

The final stage involves proofreading and editing for correct grammar, sentence structure, and word usage to ensure that the facts and issues related to the fraud are effectively and completely presented and that the report is coherent. Reviewers should be used at this stage to give constructive feedback. Several iterations may be necessary before a final report is completed.

In summary, the CFE’s final report should be designed to add value and to guide the client organization’s subsequent steps to a satisfactory overall fraud response and conclusion. If the CFE’s report is deficient in communicating results, critical follow-on steps requiring immediate action may be skipped or ignored. This can be costly for any company in lost opportunities for loss recoveries, botched prosecutions and damaged reputation.

New Rules for New Tools

I’ve been struck these last months by several articles in the trade press about CFE’s increasingly applying advanced analytical techniques in support of their work as full-time employees of private and public-sector enterprises.  This is gratifying to learn because CFE’s have been bombarded for some time now about the risks presented by cloud computing, social media, big data analytics, and mobile devices, and told they need to address those risk in their investigative practice.  Now there is mounting evidence of CFEs doing just that by using these new technologies to change the actual practice of fraud investigation and forensic accounting by using these innovative techniques to shape how they understand and monitor fraud risk, plan and manage their work, test transactions against fraud scenarios, and report the results of their assessments and investigations to management; demonstrating what we’ve all known, that CFEs, especially those dually certified as CPAs, CIAs, or CISA’s can bring a unique mix of leveraged skills to any employer’s fraud prevention or detection program.

Some examples …

Social Media — following a fraud involving several of the financial consultants who work in its branches and help customers select accounts and other investments, a large multi-state bank requested that a staff CFE determine ways of identifying disgruntled employees who might be prone to fraud. The effort was important to management not only because of fraud prevention but because when the bank lost an experienced financial consultant for any reason, it also lost the relationships that individual had established with the bank’s customers, affecting revenue adversely. The staff CFE suggested that the bank use social media analytics software to mine employees’ email and posts to its internal social media groups. That enabled the bank to identify accurately (reportedly about 33 percent) the financial consultants who were not currently satisfied with their jobs and were considering leaving. Management was able to talk individually with these employees and address their concerns, with the positive outcome of retaining many of them and rendering them less likely to express their frustration by ethically challenged behavior.  Our CFE’s awareness that many organizations use social media analytics to monitor what their customers say about them, their products, and their services (a technique often referred to as sentiment analysis or text analytics) allowed her to suggest an approach that rendered value. This text analytics effort helped the employer gain the experience to additionally develop routines to identify email and other employee and customer chatter that might be red flags for future fraud or intrusion attempts.

Analytics — A large international bank was concerned about potential money laundering, especially because regulators were not satisfied with the quality of their related internal controls. At a CFE employee’s recommendation, it invested in state-of-the-art business intelligence solutions that run “in-memory”, a new technique that enables analytics and other software to run up to 300,000 times faster, to monitor 100 percent of its transactions, looking for the presence of patterns and fraud scenarios indicating potential problems.

Mobile — In the wake of an identified fraud on which he worked, an employed CFE recommended that a global software company upgrade its enterprise fraud risk management system so senior managers could view real-time strategy and risk dashboards on their mobile devices (tablets and smartphones). The executives can monitor risks to both the corporate and to their personal objectives and strategies and take corrective actions as necessary. In addition, when a risk level rises above a defined target, the managers and the risk officer receive an alert.

Collaboration — The fraud prevention and information security team at a U.S. company wanted to increase the level of employee acceptance and compliance with its fraud prevention – information security policy. The CFE certified Security Officer decided to post a new policy draft to a collaboration area available to every employee and encouraged them to post comments and suggestions for upgrading it. Through this crowd-sourcing technique, the company received multiple comments and ideas, many of which were incorporated into the draft. When the completed policy was published, the company found that its level of acceptance increased significantly, its employees feeling that they had part ownership.

As these examples demonstrate, there is a wonderful opportunity for private and public sector employed CFE’s to join in the use of enterprise applications to enhance both their and their employer’s investigative efficiency and effectiveness.  Since their organizations are already investing heavily in a wide variety of innovative technologies to transform the way in which they deliver products to and communicate with customers, as well as how they operate, manage, and direct the business, there is no reason that CFE’s can’t use these same tools to transform each stage of their examination and fraud prevention work.

A risk-based fraud prevention approach requires staff CFEs to build and maintain the fraud prevention plan, so it addresses the risks that matter to the organization, and then update that plan as risks change. In these turbulent times, dominated by cyber, risks change frequently, and it’s essential that fraud prevention teams understand the changes and ensure their approach for addressing them is updated continuously. This requires monitoring to identify and assess both new risks and changes in previously identified risks.  Some of the recent technologies used by organizations’ financial and operational analysts, marketing and communications professionals, and others to understand both changes within and outside the business can also be used to great advantage by loss prevention staff for risk monitoring. The benefits of leveraging this same software are that the organization has existing experts in place to teach CFE’s how to use it, the IT department already is providing technical support, and the software is currently used against the very data enterprise fraud prevention professionals like staff CFEs want to analyze.  A range of enhanced analytics software such as business intelligence, analytics (including predictive and mobile analytics), visual intelligence, sentiment analysis, and text analytics enable fraud prevention to monitor and assess risk levels. In some cases, the software monitors transactions against predefined rules to identify potential concerns such as heightened fraud risks in any given business process or in a set of business processes (the inventory or financial cycles).  For example, a loss prevention team headed by a staff CFE can monitor credit memos in the first month of each quarter to detect potential revenue accounting fraud. Another use is to identify trends associated with known fraud scenarios, such as changes in profit margins or the level of employee turnover, that might indicate changes in risk levels. For example, the level of emergency changes to enterprise applications can be analyzed to identify a heightened risk of poor testing and implementation protocols associated with a higher vulnerability to cyber penetration.

Finally, innovative staff CFEs have used some interesting techniques to report fraud risk assessments and examination results to management and to boards. Some have adopted a more visually appealing representation in a one-page assessment report; others have moved to the more visual capabilities of PowerPoint from the traditional text presentation of Microsoft Word.  New visualization technology, sometimes called visual analytics when allied with analytics solutions, provides more options for fraud prevention managers seeking to enhance or replace formal reports with pictures, charts, and dashboards.  The executives and boards of their employing organizations are already managing their enterprise with dashboards and trend charts; effective loss prevention communications can make effective use of the same techniques. One CFE used charts and trend lines to illustrate how the time her employing company was taking to process small vendor contracts far exceeded acceptable levels, had contributed to fraud risk and was continuing to increase. The graphic, generated by a combination of a business intelligence analysis and a visual analytics tool to build the chart, was inserted into a standard monthly loss prevention report.

CFE headed loss prevention departments and their allied internal audit and IT departments have a rich selection of technologies that can be used by them individually or in combination to make them all more effective and efficient. It is questionable whether these three functions can remain relevant in an age of cyber, addressing and providing assurance on the risks that matter to the organization, without an ever wider use of modern technology. Technology can enable the an internal CFE to understand the changing business environment and the risks that can affect the organization’s ability to achieve its fraud prevention related objectives.

The world and its risks are evolving and changing all the time, and assurance professionals need to address the issues that matter now. CFEs need to review where the risk is going to be, not where it was when the anti-fraud plan was built. They increasingly need to have the ability to assess cyber fraud risk quickly and to share the results with the board and management in ways that communicate assurance and stimulate necessary change.

Technology must be part of the solution to that need. Technological tools currently utilized by CFEs will continue to improve and will be joined by others over time. For example, solutions for augmented or virtual reality, where a picture or view of the physical world is augmented by data about that picture or view enables loss prevention professionals to point their phones at a warehouse and immediately access operational, personnel, safety, and other useful information; representing that the future is a compound of both challenge and opportunity.

Asked and Answered

Some months ago, I was involved as a member of an out-of-town fraud examination team during which the question of note taking during an investigative interview arose. A younger member of the team (a junior internal auditor) wanted to know about approaches to the documentation of not just one, but possibly of the several prospective interview sessions it initially appeared might be necessary regarding the examination.

As the ACFE tells us, notes, whether handwritten or recorded, always send an unambiguous signal to the subject that the interviewer is memorializing his or her comments. Interviews without notes are significantly limited in their value and may even signal to the interview subject that it may later be just a question of her word against the interviewer’s. If the interviewer takes only cryptic or shorthand notes and later reviews those notes with the subject to confirm what was said, the interviewer should recognize that the notes, while confirmed and edited to a certain extent, will still be less than complete.

On the other hand, tape recording an interview is a significant obstacle to full cooperation. People are reluctant to be recorded. For the most part, the use of tape recorders to take notes is not recommended in situations involving a potential fraud. Most subjects will resist the use of recorders and, even in circumstances where the subject may have agreed to their use, their responses will be more guarded than if a recorder was not used. If a recorder is used, be sure to begin the taping by recording the date, time, names of the individuals present, and an acknowledgment by the subject that they know the interview is being recorded and they have agreed to be recorded.

Once the interviewer has determined how s/he will document the interview, s/he should ask the subject if it is okay to take notes or record the session. It is the polite and professional thing to do and it serves two purposes:

–It is part of the process by which the subject is encouraged to be a participant;
–If the subject balks or tells the interviewer she does mind that the interviewer takes notes, it can open a line of questioning by the interviewer to determine the exact cause of the subject’s objections;

The subject should always be advised that note taking is critical to the integrity of the process and that notes ensure that what the subject says is documented properly. Failure to take notes limits the information to the memory and interpretation of the interviewer.  In a professional setting, most subjects will understand the critical nature of notes. Very few people will say it is not all right to take notes, regardless of how they feel about it. If they are absolutely opposed to the taking of notes, find out why and concentrate on what the subject says and reduce the interview to notes as quickly as possible after the interview. With a hostile subject who opposes note taking, the interviewer can ask if it is okay for her to make selected notes regarding dates or things the interviewer might not remember later. The interviewer can explain that it is important that s/he understand the subject’s position or communication correctly. If the subject is still adamant about the interviewer not taking notes, it should be documented in the interviewer’s report.

As the fraud interviewer develops his or her interviewing skill set, s/he should concentrate on taking verbatim notes which, among other things, include, at a minimum, nouns, pronouns, and verbs. Some practitioners recommend that the interviewer not attempt to write everything down. The argument is that, in doing so, the interviewer will not have an opportunity to observe the subject’s nonverbal communications.

The generally accepted recommendation is, therefore, where feasible, that the interviewer take down verbatim as much of what the subject says as is possible. This includes repeated words and parenthetical comments. This practice allows the interviewer to later review what the subject said as opposed to what the interviewer thought the subject said. Note taking also provides additional documentation of what the subject is communicating and (when reviewed after the fact in the light of additional knowledge) of what the subject has excluded.

During the act of taking notes, the interviewer should exercise caution. Taking notes intermittently can signal to the subject that the interviewer takes notes only when the information is important. Conversely, if, during the interview, a very sensitive area is broached, or if the subject indicates that s/he is uncomfortable with an area or issue, the interviewer can put her pencil down, lean forward, establish good eye contact, and listen to the subject. The simple suspension of note taking may place the subject at ease. As soon as the interview moves to a less sensitive area, the interviewer should try to reduce the previously mentioned sensitive area to notes. If the subject associates note taking with core interview information, the subject may interpret continued note taking as encouragement to continue talking.

The interviewer should not write down interpretive comments while taking notes. The interviewer should however make notes, where appropriate, in cases where verbal and
nonverbal indications of both resistance or cooperation are found.

The interviewer should always take notes with the possibility in mind that the notes may be subjected to third party scrutiny. This scrutiny may extend to opposing counsel in the event of litigation. The interviewer’s notes may or may not be privileged materials. With this in
mind, the interviewer should consider the following:

–Begin each separate set of interview notes on a clean page;
–Identify the date, time, and place of the interview and all the individuals present at the interview;
–Obtain as much background data on the subject as possible, including telephone numbers, and identify means of contacting him or her, including alternate numbers for family and friends;
–Initial and date the notes;
–Document the interviewer’s questions;
–Take verbatim notes if possible. Concentrate, but do not limit notes of the subject’s responses to:
• Nouns
• Pronouns
• Verb tense
• Qualifiers
• Indicators of responsibility, innocence, or guilt
–Do not document conclusions or interpretations;
–Report any unusual change in body language in an objective manner. Document the changes in body language and tone, if applicable, in conjunction with notes of what the subject or interviewer said at the time the body language or tone changed;
–At the conclusion of the interview, review the notes with the subject to confirm what the subject has said.

Finally, following the interview, your notes should be reproduced in printed form as quickly as possible.  Enough cannot be said for the value of a well-documented set of interview notes for every aspect of a subsequent investigation; their presence or absence can make or break your entire case.

The Facts Speak for Themselves

fact-findingOne of the most frequent topics our Chapter receives questions about from new members and from our on-line guests concerns the documenting and reporting of investigative results.  What types of reports do fraud examiners and forensic accountants typically produce based on what types of documentation? What should be included in the various types of documentation and reports and what should be avoided?

The ACFE tells us that documenting an investigation is as important as performing it. A poorly documented case file can lead to a disappointing conclusion, a dissatisfied client, and can even damage the investigator’s reputation. Various means by which the fraud examiner or forensic accounting investigator may report her findings have been established by over two decades of practice.  The form of the report, whether oral or written, is always a matter to be discussed with the client and with counsel. While it’s not the responsibility of the fraud examiner to advise on the legal perils associated with various forms of reporting, there are certain issues of which new investigators should be aware as their clients debate the form of reporting that will conclude the investigator’s examination.

The ACFE suggests that practitioners try to determine at the outset whether a written report is expected and, if so, its form and timing. In the usual circumstance that this point can’t be decided at the inception of the engagement, the examiner should conduct the investigation in a manner that will facilitate a comprehensive oral report, including the key documents and any exhibits necessary to illustrate the findings. Many investigations begin small, but there’s no way to know with certainty where they will lead and what will be required at the conclusion. Although the client may not have requested a report at the outset of the investigation, some event during the investigation may change the client’s mind, and the investigator should to be prepared to respond. For example, you may determine during an investigation that an officer of the company violated a law or regulation, thereby requiring the company to consider self-reporting and possibly

bringing a civil action against the officer and other third parties. Alternatively, you may be subpoenaed for your part in an investigation that has captured the attention of regulatory agencies or law enforcement. While you can testify only as to what procedures you recall performing and the attendant findings, your client, and your own reputation, will be better served if you always have through and proper documentation. Try to perform an investigation as if you might be asked later to report formally on your findings and on the exact procedures performed.

Members also ask about the types of reports.  The most common reports are:

Written reports

  • Report of investigation. This form of written report is given directly to the client, which may be the company’s management, board, audit committee of the board, in-house counsel or outside counsel. The report should stand on its own; that is, it should identify all the relevant evidence that was used in concluding on the allegations under investigation. This is important because the client may rely on the report for various purposes such as corporate filings, lawsuits, employment actions, or alterations to procedures and controls.
  • Expert report filed in a civil court proceeding. The American Institute of Certified Public Accountants (AICPA) publishes an excellent practice aid on the full range of expert reports.
  • Affidavits. These are voluntary declarations of facts and are communicated in written form and sworn to by the witness (declarant) before an officer authorized by the court.
  • Informal reports. These consist of memos to file, summary outlines used in delivery of an oral report, interview notes, spreadsheets listing transactions along with explanatory annotations, and other less-formal written material prepared by the investigation team.

Oral reports

  • Oral reports are usually delivered by the investigation engagement leader to those overseeing an investigation, such as a company’s board, or to those who represent the company’s interests, such as outside counsel.
  • Oral reports involve giving a deposition, as a fact witness or expert witness, during which everything that is said, by all parties to the deposition, is transcribed by a court reporter.

Reports documenting an investigation differ considerably from audit opinions issued under generally accepted auditing standards (GAAS). The investigative report writer is not constrained by the required language of a governing standard, and investigative reports differ from one another in organization and content depending on the client’s stated needs. In contrast, financial audit reports adhere to set formula prescribed by GAAS. The uses of written reports also differ. The client could do any of the following things with an investigative report:

  • Distribute the report to a select group of individuals associated with the company in various capacities;
  • Voluntarily give the report to a prosecutor as a referral for prosecution;
  • Enter the report as evidence in a civil fraud proceeding;
  • Give the report to outside counsel for use in preparing regulatory findings, entering negotiations, or providing other legal services on behalf of the company.

However the client decides to use the report, its basic elements usually include the following organizaton:

  • Identify your client;
  • In the case of a lawsuit, identify the parties;
  • State in broad terms what you were asked to do;
  • Describe your scope, including the period examined;
  • Include mention of any restriction as to distribution and use of the report;
  • Identify the professional standards under which the work was conducted;
  • Identify exclusions in the reliance on your report (the report is not a financial audit, etc.);
  • State that your work should not be relied on to detect all fraud;
  • Include the procedures you performed, technical pronouncements relied upon, and findings.

Although a summary can be helpful to the reader it may be perilous for the report writer in terms of keeping critical information and perspectives intact. Caution is advised when preparing two types of summary sections: executive summary and conclusion.  If you do write a summary, be careful not to offer an opinion on the factual findings unless specifically requested to do so by the client. The facts should speak for themselves.

It may be appropriate to include in a concluding section of the Report of Investigation certain recommendations for additional investigative procedures or a description of control breakdowns you have observed. Also, a carefully written executive summary at the beginning of the report can be extremely helpful to the reader, especially when it precedes a long and complex report. The executive summary should offer in simple, straightforward language an accurate statement of significant findings. Each summarized finding should include a reference to the full description of findings included in the complete Report of Investigation.

Fraud examination reports are powerful tools which can assist client management in a myriad of ways but, like anything else, if ineptly prepared, represent a minefield for the beginning practitioner.

Who’s the Client?

lawyer_1While I was away on vacation last week our Chapter received an on-line comment-request from a CFE practitioner currently working on a fraud investigation for an attorney on the legal staff of a major international corporation.   The commenter was seeking some overview information relating to the protection of the content of her soon to be completed investigative report under U.S. law.  As I’m sure most of you remember, the attorney-client privilege applies where there is a (1) confidential (2) communication (3) between attorneys and their clients (4) made for the purpose of rendering or receiving legal advice.

To protect the report of an internal investigation, the report should be communicated to the lawyer (preferably the lawyer should initiate the investigation), it should not be distributed to anyone else, and it should be for the purpose of providing the lawyer information he or she needs to render a legal opinion or provide legal advice. The key element is that the attorney (whether in-house counsel-or outside counsel) is having the investigation conducted for the purpose of providing legal advice to the company.  The privilege generally extends to information gathered by investigators like our CFE enquirer if the investigator is acting at the direction of the attorney.

The ACFE tells us that the existence of the following will help ensure that communications gathered during the investigation will be protected under the attorney-client privilege:

–The communications were made by corporate employees to counsel;
–The communications were made at the direction of corporate superiors in order for the company to obtain legal advice from counsel;
–The employees were aware that the communications were being made in order for the company to obtain legal advice;
–The information needed was not available from upper management;
–The communications concerned matters within the scope of the employees’ corporate duties;
–The communications were confidential when made and were kept confidential by the company.

CFE’s and forensic accountants should not make the mistake of believing that just because an attorney is involved all reports and communications are protected by the attorney-client privilege. The privilege protects only those communications related to the attorney providing legal advice. Often courts will seek to determine whether the attorney was actually rendering legal advice or merely performing investigative services. Some courts have taken a narrow view of the privilege and have held that if the investigation could have been conducted just as easily by a private investigator, then the lawyer was acting as just that, an investigator, not as a lawyer; therefore, the privilege would not apply.

The ACFE cautions that the most often overlooked requirement is that the CFE’s report remain confidential. Even if a report meets all of the other requirements (prepared by a CFE for the attorney for the purpose of providing legal advice), the privilege will be lost if it is disclosed to anyone other than “the client.” In the corporate setting, it’s often hard to determine just who “the client” is. However, it’s generally clear that senior officials within the company are authorized to seek advice from an attorney on behalf of the company and to act on such advice. Accordingly, most courts have held that communications between an attorney and senior-level management are protected, while communications between an attorney and lower-level employees may not be.  Therefore, special care should be taken to ensure that the attorney-client privilege is not waived inadvertently by giving documents or communicating information to anyone outside the investigation team, including members of law enforcement. If information gathered during an investigation is shared with law enforcement, then the privilege may be waived not only as to the information given, but also to any other information relating to the same subject matter. This is known as “horizontal” waiver. Some courts have held that waiver of the privilege as to one document implies waiver as to all documents concerning the same subject matter.

If a fraud examiner or forensic accountant feels that a case should be recommended for criminal prosecution, the examiner should consult with the attorney before providing any information to government or law enforcement authorities. For example, if an investigator submits a copy of his report to the prosecutor who initiates criminal proceedings based on the findings in the report, the criminal defendant may be able to require the investigator to provide all the documents he or she used in writing the report. In such an instance, the investigator may be considered to have waived the privilege. Likewise, if law enforcement requests the results of an investigation or information gathered during an investigation, the attorney should be consulted before turning over the information. Some courts have held that the privilege is not waived if a company is subpoenaed to produce the information.

The work product doctrine protects materials that are prepared in anticipation of litigation.  the Supreme Court has set forth some protection for materials prepared with an eye toward litigation. The Court has stated that the doctrine promoted the “orderly prosecution and defense of legal claims” by providing attorneys with a zone of privacy that was essential to their role as an adversary.  People often mistakenly believe that the work product doctrine is connected to, or is part of, the attorney-client privilege. It is not. One of the main differences between the work product doctrine and the attorney-client privilege is that the work product doctrine is not a privilege. The work product doctrine is a provision of the discovery rules which provides that in certain instances, items will be protected from discovery. As such, the work product doctrine is really a “qualified immunity” from discovery. It differs from an evidentiary privilege (such as attorney-client privilege) in that even if the document falls within the definition of “work product,” the judge still can order that the document be produced if the opposing party can show “substantial need” for the protected information and that the information cannot be obtained from another source. However, even if “substantial need” is shown, the mental impressions and opinions of an attorney concerning the litigation are not subject to disclosure under any circumstances.

In virtually every lawsuit, there will be disputes about what must be produced and what is protected from discovery. The rules are not always clear, and they are not applied consistently in either the federal or state courts. One good, but not foolproof protection, is to put the phrase “PRIVILEGED AND CONFIDENTIAL” at the top of every document produced regarding the case. Of course, this statement is not evidence the document is legally privileged or protected, but it does show an intention to keep the communication confidential, and will alert others that the document contains sensitive information.

Some general exceptions to the privilege rule are:

–Only the holder of a privilege, or the holder’s designated representative, can assert the privilege.
–If the holder, after having notice and opportunity, fails to assert it, the privilege is waived.
–If the holder discloses significant information to someone outside the protected relationship, the privilege does not hold.
–The communication must be pertinent to the protected relationship (a physician and a patient must be discussing health issues), or there is no privilege. Ordinary discussion not deemed confidential is not protected.

When a Fraud Goes Public

reputationDownload Our Chapter’s Free App RVACFES on Google-Play!

There’s a high probability that every fraud examiner, during the course of his or her career, will work on at least one fraud that hits the newspapers.  Your client and its counsel will undoubtedly turn to you as a member of the investigative team for input, especially, as is most frequently the case, the whole experience will be new to them. Given the overwhelming importance of corporate on-line and off-line reputation as a driver of value and with sustainability as a strategic concern, the bottom-line value of communicating with all corporate publics about both tangible and intangible events affecting performance has risen. This is doubly the case with a sensitive issue like a publicized fraud. Today, the ACFE tells us, intangible assets can account for as much as 70 percent of the value of a business. They include brand, employee loyalty, credibility, trust, and (perhaps of most importance) reputation. In a world continually rocked by corporate governance and other scandals, attention to reputation risk is proving more important than ever. Because organizations derive that reputation from how their various stakeholders and publics perceive their performance, behavior, and actions in the goldfish bowl of social media, the need for more careful management of the public information interface is also vital but especially so in a crisis.

The ACFE also reports that a growing number of major global companies are investing substantial resources to manage their reputational risk, and have increased their efforts to do so over the last five years. Indeed, 82 percent of risk managers report their companies are making a “substantial” effort to manage reputational risk, and 81 percent said they’ve increased their focus on reputational risk during the last 36 months. That’s partly because risk managers recognize the difficulty most enterprises have attempting to wrap their corporate arms around the nuances of just what a reputation is and what risks it faces, and also because less than half of the executives surveyed said the management of reputational risk was “highly integrated” with their enterprise risk management (ERM) function or another risk oversight program.

During the fraud risk assessment process many CFE’s have likely suspected or even warned that the actions that some of their client enterprises were taking or planning to take – especially those related to over-the-top spending or perceived lapses in corporate ethical judgement – might not be viewed today with the stakeholder disinterest they once were.   Now, every management must deal with reputational risks that were not necessarily reputational risks in the past, and they must deal with changes – rapid in many cases given social media – in the public’s estimation of what is and isn’t acceptable corporate behavior.

Any publicized fraud, major or minor, impacts the corporate reputation and serves as proof that all of its key fraud risks are intertwined; each risk can impact others. Losses to fraud impact reputation just as surely as bad strategic decisions. To help minimize the negative effects of these intertwined threats, organizations should consider identifying risk champions within the organization, including the CEO, the president, regional presidents, and, sagely, the marketing director, whose roles would include not only monitoring and reporting on on-going reputational risks but, acting as a committee,  in actively shaping the corporate response to a publicized fraud.  These champions routinely look for reputational risks as part of their day-to-day activities, arranging for corporate auditors to test anti-fraud controls and look at policies and procedures that might carry some type of reputational risk.  Likewise, every member of management should be sensitized to be aware of reputational risks and educated to identify areas for audit that, in their opinion, are not being managed correctly and thus likely represent loci of developing fraud-related threats to the enterprise’s good name.

Organizations which haven’t experienced a publicized fraud often overlook the multifaceted nature of reputational risk and the need to consider it at the inherent level, rather than focusing, as so many organizations do, on reputational risk at the lower, residual level; damage to reputation is never just a residual effect and should never be viewed as such. This judgment error can leave managements complacent about the magnitude of damage a threat to the company’s reputation can cause. A sense of comfort with the expected perceived control level can make many boards and executives not think about the inherent, potentially devastating reputational risks that are always lurking around every corner.  Never forget, the world’s response to a damaged reputation is faster and harsher today than ever before.

Just how fast social media can change and affect the public’s opinion of any company is something of which many organizations are still insufficiently aware.  Although companies cannot prevent anti-company commentary related to a fraud on social media sites, they can monitor them and possibly influence them. It’s doubtful that many of today’s client senior management were taught the practice of determining potential reputational risks and of monitoring a corporation’s response to them on social media.  CFE’s need to recommend that client companies expand their public mood-tracking activities to these venues when actually responding to and addressing a published fraud.

The management of reputational risk during a publicized fraud requires a constantly updated, fresh approach to what could happen and the reverberations it could have throughout an enterprise’s public universe. Financial responsibility as one type of reputational risk that is not new; as consumers become more actively involved in narratives involving stock market manipulation and corporate corruption, companies are more at risk for being labeled as ‘irresponsible’ if they don’t have a perceived high level of corporate governance. Worldwide slow economic growth has made the reputational risk of all corporate related missteps a greater threat to any company because it simply might not be able to recover from a financial fraud fallout as quickly as it might have in high growth times. Slow growth may also lead more employees to engage in the kind of activity – fraud, theft, quality corner-cutting – that can damage an organization’s reputation and the general public is well of aware of the fact.

Helping client companies manage reputational risk during their response to publicized frauds, including that risk in their fraud risk assessments and then on-going reassessment of the performance of risk related  controls is an area where CFE’s can add tremendous value at very little incremental cost; doing so will certainly add value to the overall fraud prevention effort. And don’t overlook training front line employees in their role in protecting the corporate reputation.

Thoughtful, coordinated management of the fallout from a publicized fraud is the difference between a company stumbling blindly into a far worse reputation debacle than necessary, and heading off disaster by acting swiftly to contain the reputational damage and move the organization forward. CFE’s have a critical role to play in all of this.

The Client Waltz

waltzNot too long ago I attended a dinner meeting out of town and had a short discussion about field work with a fellow fraud examiner working her first fraud examination as part of an investigative team.  The corporate counsel of the client organization had directly engaged her small firm and my new friend and dinner partner was experiencing difficulty in gaining access to the client staff with whom she needed to work to perform her part of the investigation.  The root problem seemed to be that the engaging counsel had failed to adequately brief either the lead fraud examiner or his client on just how the examination was be conducted and, consequently the examiners were experiencing frustration because they didn’t think they were initially working with the right people to get their job done.

All too often, fraud examiners are asked to rely on a small number of primary contacts – such as the controller, chief financial officer, or business process manager – to supply all the information for an engagement. In some instances, these individuals may, as a result of confusion or worse, prevent the examiner from speaking with other members of the area under review – a practice referred to as shuttling. But regardless of whether this occurs, talking only with supervisors and managers may not elicit the detail and precision necessary for an effective review.  It’s critical that CFE’s know how to break down any barriers that keep them from those with actual knowledge of the fraud, while at the same time avoiding any damage to their rapport with the primary review contact (in this case, the corporate counsel).  This can be an intricate dance indeed! By enhancing their interpersonal soft skills, CFE’s can walk this delicate line more effectively and increase the likelihood of an outcome satisfactory to all parties. Several key skills, in particular, help fraud examiners gain access to all relevant client staff and elicit the kind of information that will result in a better investigative product.

As a general rule the CFE team leader should try to set up a detailed engagement planning and ground rule meeting with the primary examination contact(s) before starting the examination and then follow up with a formal engagement letter. Meeting the corporate counsel for lunch, for example, would have helped break the ice and provide a more relaxed environment for initial discussion then the hurried phone call from the client counsel that apparently took place in this case.  During the meeting, the lead CFE should try to identify some common ground that can be used throughout the engagement to shore up the relationship and help build rapport. S/he should also take note of the clients’ mannerisms and reactions and keep them in mind later when performing the review. When posing a tough fraud related question to the client, for example, the auditor can then observe whether the client’s mannerisms change compared to those observed while simply establishing rapport. Subsequent further probing on the part of the review team may be warranted if discrepancies are noted.

It’s always a challenge for a team of fraud examiners to quickly learn as much as possible about the business processes affected by a fraud before speaking directly with process owners. Otherwise, those involved with the fraud may perceive the CFE’s as ill prepared or uninformed and be prompt to try to take advantage of that ignorance. When any team member lacks familiarity with the client’s business, her credibility and professionalism may be called into question, and the relationship with the client can quickly become impaired.

Understanding the basic mechanics of client financial business processes up front enables the team to devote more of their engagement efforts to direct examination work. In other words, it helps ensure team member practitioners don’t spend an inordinate amount of time learning while on the job, focusing instead on staying alert for unusual transactions involving the fraud, changes in suspect behavior, and other potential issues. Moreover, examination subjects are more likely to point out more complex issues and solicit input if they feel comfortable with the examiner’s abilities. These insights, in turn, may lead to opportunities for documenting a wide range of situations useful later in court and subsequent recovery efforts.

And it goes without saying that team members should avoid excessively confident or arrogant behavior. In most instances client employees will know more about their operation than the investigative team, and they deserve respect for their expertise. Client staff should be lead to perceive the team as working collaboratively with them in a didactic manner to help resolve a difficult situation — this approach typically achieves the best results. By contrast, even a perception of an adversarial or gotcha approach can quickly sour the situation and compromise the entire process of the examination.

When asking the tough questions, the ACFE tells us that team members should avoid phrasing that may seem confrontational, and they should refrain from steering the response. For example, instead of saying, “You review the XYZ report weekly, correct?” the examiner could say something like, “Could you help me understand how often you review the XYZ report?” Essentially, CFE’s should ask open ended, nonthreatening questions, followed by requests for clarification. Also, be sure to express interest.  Team members should always try to show genuine interest in the subject’s work. In most instances, client employees are proud of what they do, and are pleased to share the details of their work with those they perceive as experts. Expressing interest can elicit valuable information and enhance the examination quality.  Interest is demonstrated by not appearing rushed and by asking relevant, informed questions.  Although this approach takes time (and CFE’s are always pressed for time), it can lead to insight and knowledge that always proves invaluable during the court room and prosecution phases that so often follow from our work product. For example, the unusual or infrequent irregular transactions/events that may not surface during standard interviews or via sample-based testing but are so vital to our work can often be highlighted in this manner.

Client employees contacted in the course of the investigation should be assured that the team is only interested in the facts and that no one is looking to judge them or their work product. Examiners need to listen carefully and objectively to subjects and avoid approaching discussions with apparent preconceived notions or biases. Maintaining impartiality will not only enhance our results, it should result in a stronger relationship with the main client, even when engagements lead to the confirmation of the suspected fraud.

Clarifying the significance of examination findings and discussing workable approaches for moving forward with the main client, help maintain the CFE to client relationship and establishes the CFE as a trusted fraud expert and advisor. For example, suppose the CFE, during her examination discovers that someone in the organization (not connected with the suspected fraud) has the ability to receive goods into inventory, perform physical inventory procedures (cycle counts), make inventory adjustments based on inventory counts, and directly write off damaged inventory to scrap. When reporting this collateral fact, the CFE might want to do more than simply document the apparent access and segregation of duties issues. S/he might want to elaborate on the finding’s significance for potential future fraud by mentioning the risk of loss of inventory (assets), as the employee’s level of system access provides an opportunity to inappropriately write off usable product as damaged, lost, or never received and then use it for personal gain. Descriptive interactions of this type add value to the examination by enabling our main client to fully appreciate the larger risks (even beyond the present fraud) associated with findings and take appropriate action to address them.

When identifying and framing any fraud related issue, CFE’s should keep its true level criticality in context. Managers and business leaders do not appreciate drama, and overreacting can hurt the examiner’s credibility and rapport with valuable future business contacts. Sticking to the facts can help keep almost any sensitive situation from spinning out of control.

Mindful management of the mechanics of client relations can change a stunted two-step into a graceful waltz.  All it takes is practice.