All posts by clawver

Cash In – Cash Out

One of our associate Chapter members has become involved in her first fraud investigation just months after graduating from university and joining her first employer. She’s working for a restaurant management consulting practice and the investigation involves cash theft targeting the cash registers of one of the firm’s smaller clients. Needless to say, we had a lively discussion!

There are basically two ways a fraudster can steal cash from his or her employer. One is to trick the organization into making a payment for a fraudulent purpose. For instance, a fraudster might produce an invoice from a nonexistent company or submit a timecard claiming hours that s/he didn’t really work. Based on the false information that the fraudster provides, the organization issues a payment, e.g., by sending a check to the bogus company or by issuing an inflated paycheck to the employee. These schemes are known as fraudulent disbursements of cash. In a fraudulent disbursement scheme, the organization willingly issues a payment because it thinks that the payment is for a legitimate purpose. The key to the success of these types of schemes is to convince the organization that money is owed.

The second way (as in our member’s restaurant case) to misappropriate cash is to physically remove it from the organization through a method other than the normal disbursement process. An employee takes cash out of his cash register, puts it in his pocket, and walks out the door. Or, s/he might just remove a portion of the cash from the bank deposit on their way to the bank. This type of misappropriation is what is referred to as a cash theft scheme. These schemes reflect what most people think of when they hear the term “theft”; a person simply grabs the money and sneaks away with it.

What are commonly denoted cash theft schemes divide into two categories, skimming and larceny. The difference between whether it’s skimming or larceny depends completely on when the cash is stolen, a distinction confusing to our associate member. Cash larceny is the theft of money that has already appeared on a victim organization’s books, while skimming is the theft of cash that has not yet been recorded in the accounting system. The way an employee extracts the cash may be exactly the same for a cash larceny or skimming scheme. Because the money is stolen before it appears on the books, skimming is known as an “off-book” fraud. The absence of any recorded entry for the missing money also means there is no direct audit trail left by a skimming scheme. The fact that the funds are stolen before they are recorded means that the organization may not be “aware” that the cash was ever received. Consequently, it may be very difficult to detect that the money has been stolen.

The basic structure of a skimming scheme is simple: Employee receives payment from a customer, employee pockets payment, employee does not record the payment. There are a number of variations on the basic plot, however, depending on the position of the perpetrator, the type of company that is victimized, and the type of payment that is skimmed. In addition, variations can occur depending on whether the employee skims sales or receivables (this post is only about sales).

Most skimming, particularly in the retail sector, occurs at the cash register – the spot where revenue enters the organization. When the customer purchases merchandise, he or she pays a cashier and leaves the store with whatever s/he purchased, i.e., a shirt, a meal, etc. Instead of placing the money in the cash register, the employee simply puts it in his or her pocket without ever recording the sale. The process is made much easier when employees at cash collection points are left unsupervised as is the case in many small restaurants. A common technique is to ring a “no sale” or some other non-cash transaction on the employee’s register. The false transaction is entered on the register so that it appears that the employee is recording the sale. If a manager is nearby, it will look like the employee is following correct cash receipting procedures, when in fact the employee is stealing the customer’s payment. Another way employees sometimes skim unrecorded sales is by conducting sales during nonbusiness hours. For instance, many employees have been caught selling company merchandise on weekends or after hours without the knowledge of the owners. In one case, a manager opened his store two hours early every day and ran it business-as-usual, pocketing all sales made during the “unofficial” store hours. As the real opening time approached, he would destroy all records from the off-hours transactions and start the day from scratch.

Although sales skimming does not directly affect the books, it can show up on a company’s records in indirect ways, usually as inventory shrinkage; this is how the skimming thefts were detected at our member’s client. The bottom line is that unless skimming is being conducted on a very large scale, it is usually easier for the fraudster to ignore the shrinkage problem. From a practical standpoint, a few missing pieces of inventory are not usually going to trigger a fraud investigation. However, if a skimming scheme is large enough, it can have a marked effect on a small business’ inventory, especially in a restaurant where profit margins are always tight and a few bad sales months can put the concern out of business. Small business owners should conduct regular inventory counts and make sure that all shortages are promptly investigated and accounted for.

Any serious attempt to deter and detect cash theft must begin with observation of employees.  Skimming and cash larceny almost always involve some form of physical misappropriation of cash or checks; the perpetrator actually handles, conceals, and removes money from the company. Because the perpetrator will have to get a hold of funds and actually carry them away from the company’s premises, it is crucial for management to be able to observe employees who handle incoming cash.

Charting the Road Ahead

There are a number of good reasons why fraud examiners and forensic accountants should work hard at including inclusive, well written descriptions of fraud scenarios in their reports; some of these reasons are obvious and some less so. A well written fraud report, like little else, can put dry controls in the context of real life situations that client managers can comprehend no matter what their level of actual experience with fraud. It’s been my experience that well written reports, couched in plain business language, free from descriptions of arcane control structures, and supported by hard hitting scenario analysis can help spark anti-fraud conversations throughout the whole of a firm’s upper management.

A well written report can be a vital tool in transforming that discussion from, for example, relatively abstract talk about the need for an identity management system to a more concrete and useful one dealing with the report’s description of how the theft of vital business data has actually proven to benefit a competitor.

Well written, comprehensive fraud reports can make fraud scenarios real by concretely demonstrating the actual value of the fraud prevention effort to enterprise management and the Board. They can also graphically help set the boundaries for the expectations of what management will expect the prevention function to do in the future if this, or similar scenarios, actually re-occur. The written presentation of the principal fraud or loss scenario treated in the report necessarily involves consideration of the vital controls in place to prevent its reoccurrence which then allows for the related presentation of a qualitative assessment of the present effectiveness of the controls themselves. A well written report thus helps everyone understand how all the control failures related to the fraud interacted and reinforced each other; it’s, therefore, only natural that the fraud examiner or analyst recommend that the report’s intelligence be channeled for use in the enterprise’s fraud and loss prevention program.

Strong fraud report writing has much in common with good story telling. A narrative is shaped explaining a sequence of events that, in this case, has led to an adverse outcome. Although sometimes industry or organization specific, the details of the specific fraud’s unfolding always contains elements of the unique and can sometimes be quite challenging for the examiner even to narrate. The narrator/examiner should especially strive to clearly identify the negative outcomes of the fraud for the organization for those outcomes can sometimes be many and related. Each outcome should be explicitly explicated and its impact clearly enumerated in non-technical language.

But to be most useful as a future fraud prevention tool the examiner’s report needs to make it clear that controls work as separate lines of defense, at times in a sequential way, and at other times interacting with each other to help prevent the re-occurrence of the adverse event. The report should attempt to demonstrate in plain language how this structure broke down in the current instance and demonstrate the implications for the enterprise’s future fraud prevention efforts. Often, the report might explain, how the correct operation of just one control may provide adequate protection or mitigation. If the controls operate independently of each other, as they often do, the combined probability of all of them failing simultaneously tends to be significantly lower than the probability of failure of any one of them. These are the kinds of realities with the power to significantly and positively shape the fraud prevention program for the better and, hence, should never be buried in individual reports but used collectively, across reports, to form a true combined resource for the management of the prevention program.

The final report should talk about the likelihood of the principal scenario being repeated given the present state of preventative controls; this is often best-estimated during discussions with client management, if appropriate. What client management will truly be interested in is the probability of recurrence, but the question is actually better framed in terms of the likelihood over a long (extended) period of time. This question is best answered by involved managers, in particular with the loss prevention manager. If the answer is that this particular fraud risk might materialize again once every 10 years, the probability of its annual occurrence is a sobering 10 percent.

As with frequency estimation, to be of most on-going help in guiding the fraud prevention program, individual fraud reports should attempt to estimate the severity of each scenario’s occurrence. Is it the worst case loss, or the most likely or median loss? In some cases, the absolute worst case may not be knowable, or may mean something as disastrous as the end-of-game for the organization. Any descriptive fraud scenario presented in a fraud report should cover the range of identified losses associated with the case at hand (including any collateral losses the business is likely to face). Documented control failures should always be clearly associated with the losses. Under broad categories, such as process and workflow errors, information leakage events, business continuity events and external attacks, there might have to be a number of developed, narrative scenarios to address the full complexity of the individual case.

Fraud reports, especially for large organizations for which the risk of fraud must always remain a constant preoccupation, can be used to extend and refine fraud prevention programs. Using the documented results of the fraud reporting process, report data can be converted to estimates of losses at different confidence intervals and fed to the fraud prevention program’s estimated distributions for frequency and severity. The bottom line is that organizations of all sizes shouldn’t just shelve their fraud reports but use them as vital input tools to build and maintain the ongoing process of fraud risk assessment for ultimate inclusion in the enterprise’s loss prevention and fraud prevention programs.

! RVACFES May 2019 Spring Training Event !

The ACFE wants to help establish you as a consummate courtroom professional! Certified Fraud Examiners, accountants, auditors and investigative/assurance professionals of all kinds are called upon to provide testimony in criminal and civil prosecutions where their services can be used to support investigations of matters such as financial frauds, embezzlements, misapplication of funds, bankruptcy fraud, improper accounting practices, and tax fraud. Fraud examiners may also be used as defense witnesses or to support the defendant’s counsel on matters that involve accounting or audit related issues.

LEARN MORE

There are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing lay testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

As you will learn, the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Our speaker, HUGO HOLLAND, CFE, JD,  will expound in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” an expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this. The best thing for an inexperienced expert witness is to work with experienced attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• How to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• Remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• How best to state the facts. The expert witness should tell truth plainly and simply. You will learn how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which she does not know the answer but should simply say that she does not know or does not have enough information to form an opinion.

• Learn to control the pace The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that she is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.
• Learn how to testify effectively on direct and cross examination, basic courtroom procedures, and most important, tricks for surviving on the witness stand. Improve your techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. Walk away with more effective report writing skills and explore the different types of evidence and legal remedies in this 2-day, ACFE instructor-led course.

REGISTER HERE

The Association of Certified Fraud Examiners is the world’s largest anti-fraud organization and premier provider of antifraud training and education. Together with more than 85,000 members, the ACFE is reducing business fraud worldwide and inspiring public confidence in the integrity and objectivity within the profession. Visit ACFE.com to learn more.

“ACFE,” “CFE,” “Certified Fraud Examiner,” “CFE Exam Prep Course,” “Fraud Magazine,” “Association of Certified Fraud Examiners,” “Report to the Nations,” the ACFE Seal, the ACFE Logo and related trademarks, names and logos are the property of the Association of Certified Fraud Examiners, Inc., and are registered and/or used in the U.S. and countries around the world.

Inflexible Reporting

Our Chapter and the ACFE have published a number of articles and posts over the last few years about the various types of pressures that can push ethically challenged employees over the line between temptation and the perpetration of an actual accounting fraud. One category of such pressure stems directly from the nature of our present system of periodic financial reporting which, it can be argued, not only creates unnecessary volatility in the stock and financial markets but ends up requiring rational investors to demand a premium for securities investments by emphasizing the short term risk that near term, inflexable, quarterly earnings targets will not be met. The pressure to meet these short term targets can only give rise to operational inefficiencies which in turn drive up the inherent inefficiency in the transmission of information from public companies to financial markets based on a model which hasn’t changed much since its original definition during the Great Depression years of the 1930’s.

I’ve seen articles in the Journal of Accountancy and in other authoritative financial publications pointing toward a better way and, with the advent of and widening support for the electronic reporting of financial results to the SCC (the XBRL initiative), we can hope we’re well into the drawn of a new age. That there’s been pushback to this effort is understandable. Those familiar with the technical and professional minefield of the present quarterly reporting process can only feel sympathy with those financial officers who have to go through it, quarter by quarter and year after year. Questions originally abounded about process and mechanics like how is electronically published financial information going to be verified and what real controls are there over its reliability? What happens if there’s an honest mistake?

Think about all this from the point of view of the fraud examiner. If enterprises, listed and non-listed, can make the transition from a periodic to a real-time, electronic based financial reporting system, the resulting efficiencies and the decrease in numerous types of fraud related risk would be truly striking. Real-time financial reporting would free our clients from the tyranny of the present, economically nonsensical, reporting of quarterly results. How much of the incentive to commit financial fraud to meet the numbers does that immediately alleviate? As one financial expert after another has pointed out over the years, there’s just no justification for focusing on a calendar quarter as the unit in which to take stock of financial performance, beyond the fact that that’s what’s presently codified in the law. By contrast, what if financial information were published and available to all users on a real-time basis? The immediate availability of such information, continuously updated, on whatever basis is appropriate for the individual enterprise and its industry, would force companies to adopt a reporting unit that ready makes sense to them and to their principal information users. For some companies that unit might be a week, a month, a quarter, semi-annually or a year. So be it. Let a thousand flowers bloom; the upshot is that what would end up being reported would make sense for the company, its industry and for the information users rather than the one-size fits all, set in stone, prescription of the present law.

An additional advantage, and one with immediate implications for fraud prevention, would be the opportunity for increased efficiency in financial markets as investment dollars could be allocated not according to quarterly results or according to the best guess estimates of financial analysts, but by reliable financial information provided directly by the company all the time; goodbye to many of the present information control vulnerabilities that support insider trading because information is not widely and efficiently disseminated. The point is that by employing digital, cloud-based analytics report building tools properly, users of all kinds could customize a set of up-to-date financial reports (in whatever format) on whatever time period, that suits their fancy.

But many have also pointed out that if there is to be such a shift from periodic to real-time financial reporting, there needs to be a fundamental change in basic attitudes toward financial reporting. Those who report and those who inspect financial information will have to change their focus from methods by which the numbers themselves are checked (audited) to methods (as with XBRL) that focus on the reliability of the system that generates the numbers. That’s where fraud examiners and other financial insurance professionals come in. On-line financial information will be published with such frequency and so rapidly, that there will be no time to “check” individual numbers; the emphasis for assurance professionals will, therefore, need to shift away from checking numbers and balances to analysis of and reporting on the integrity of the system of internal controls over the reporting system itself; understanding of the details of the internal control system over financial reporting will gain a level of prominence it’s never had before.

Fraud examiners need to be aware of these issues when counseling clients about the profound impact that digitally based, on-line reporting of financial information is and will have on their fraud prevention and fraud risk assessment programs. As with all else in life, real time financial reporting will inevitably decrease the risk of some fraud scenarios and increase the risk of others.

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

Sniffing it Out

The first Virginia governor I worked for directly was John Dalton, who was fond of saying that his personal gauge for ethically challenged behavior was the smell test, i.e., did any proposed action (and its follow-on implications) have the odor of appropriateness. Philosophical theories provide the bases for most useful practical decision approaches and aids, although a majority of seasoned executives are unaware of how and why this is so. Whatever the foundation of the phenomena may be, most experienced directors, executives, professional accountants (and governors) appear to have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis.

If these preliminary tests give rise to concerns, most think a more thorough analysis should be performed. It is often appropriate (and quite common in practice) for subordinate managers and other employees to be asked to check a proposed decision in a quick, preliminary manner to see if an additional full-blown ethical or practicality analysis is required. These quick tests are often referred to as sniff tests. If any of these quick tests are negative, employees are asked to seek out someone like the corporate counsel or an ethics officer (if there is one) for consultation, or to personally perform a full-blown analysis of the proposed action. This analysis is usually retained, and perhaps even reviewed by upper management.

Some of the more common sniff tests employed by managers with whom I’ve worked are:

–Would I be comfortable if this action or decision were to appear on the front page of a national newspaper tomorrow morning?
Will I be proud of this decision?
Will my mother and father be proud of this decision?
Is this action or decision in accord with the corporation’s mission and code?
Does this feel right to me?

Unfortunately, although sniff tests and commonly used ethical rules of thumb are based on ethical principles as popularly conceived and are often useful, they rarely, by themselves, represent anything approaching a comprehensive examination of the confronting decision and therefore can leave the individuals and organization(s) involved vulnerable to making a challengeable choice. For this reason, experts advise that more comprehensive techniques of evaluation should be employed whenever a proposed decision is questionable or likely to have significant consequences. Analysis of specific sniff tests and the related heuristics reveals that they usually focus on a fraction of the comprehensive set of criteria that more complete forms of analysis examine.

Traditionally, an accepted business school case approach to the assessment of a corporate decision and the resulting action has been to evaluate the end results or consequences of the action. To most businesspeople, this evaluation has traditionally been based on the decision’s impact on the interests of the company’s owners or shareholders.

Usually these impacts have been measured in terms of the profit or loss involved, because net profit has been the measure of well-being that shareholders have wanted to maximize. This traditional view of corporate accountability has been modified over the last two decades in two ways. First, the assumption that all shareholders want to maximize only short-term profit appears to represent too narrow a focus. Second, the rights and claims of many non-shareholder groups, such as employees, consumers/clients, suppliers, lenders, environmentalists, host communities, and governments that have a stake or interest in the outcome of the decision, or in the company itself, are being accorded an increased status in corporate decision making.

Modern corporations are increasingly declaring that they are holding themselves self -accountable to shareholders and to non-shareholder groups alike, both of which form the set of stakeholders to which the company pledges to respond. It has become evident (look at the Enron example) that a company cannot reach its full potential, and may even perish, if it loses the support of even one of a select set of its stakeholders known as primary stakeholders.

The assumption of a monolithic shareholder group interested only in short-term profit is undergoing modification primarily because modem corporations are finding their shareholders are to an increasing degree made up of persons and institutional investors who are interested in longer-term time horizons and in how ethically individual businesses are conducted. The latter, who are referred to as ethical investors, apply two screens to investments: Do the investee companies make a profit in excess of appropriate hurdle rates, and do they strive to earn that profit in a demonstrably ethical manner?

Because of the size of the shareholdings of mutual and pension funds, and of other types of institutional investors involved, corporate directors and executives have found that the wishes of ethical investors can be ignored only at their peril. Ethical investors have developed informal and formal networks through which they inform themselves about corporate activity, decide how to vote proxies, and how to approach boards of directors to get them to pay attention to their concerns in such areas as environmental protection, excessive executive compensation, and human rights activities in specific countries and regions. Ethical investors as well as other stakeholder groups, tend to be increasingly unwilling to squeeze the last ounce of profit out of the current year if it means damaging the environment or the privacy rights of other stakeholders. They believe in managing the corporation on a broader basis than short-term profit only. Usually the maximization of profit in a longer than one-year time frame requires harmonious relationships with most stakeholder groups based on the recognition of the interests of those groups.

A negative public relations experience can be a significant and embarrassing price to pay for a decision making process that fails to take the. wishes of stakeholder groups into account. Whether or not special interest groups of private citizens are also shareholders, their capacity to make corporations accountable through social media is evident and growing. The farsighted executive and director will want these concerns taken into account before offended stakeholders have to remind them.

Taking the concerns or interests of stakeholders into account when making decisions, by considering the potential impact of decisions on each stakeholder, is therefore a wise practice if executives want to maintain stakeholder support. However, the multiplicity of stakeholders and stakeholder groups makes this a complex task. To simplify the process, it is desirable to identify and consider a set of commonly held or fundamental stakeholder interests to help focus analyses and decision making on ethical dimensions; stakeholder interests such as the following:

1.Their interest(s) should be better off as a result of the decision.
2. The decision should result in a fair distribution of benefits and burdens.
3. The decision should not offend any of the rights of any stakeholder, including the decision maker, and ..
4. The resulting behavior should demonstrate duties owed as virtuously as expected.

To some extent, these fundamental interests have to be tempered by the realities facing decision makers. For example, although a proposed decision should maximize the betterment of all stakeholders, trade-offs often have to be made between stakeholders’ interests. Consequently, the incurrence of pollution control costs may be counter to the interests of short-term profits that are of interest to some current shareholders and managers. Similarly, there are times when all stakeholders will find a decision acceptable even though one or more of them, or the groups they represent, may be worse off as a result.

In recognition of the requirement for trade-offs and for the understanding that a decision can advance the well-being of all stakeholders as a group, even if some individuals are personally worse off, this fundamental interest should be modified to focus on the well-being of stakeholders rather than only on their betterment. This modification represents a shift from utilitarianism to consequentialism. Once the focus on betterment is relaxed to shift to well-being, the need to analyze the impact of a decision in terms of all four fundamental interests becomes apparent. It is possible, for example, to find that a proposed decision may produce an overall benefit, but the distribution of the burden of producing that decision may be so debilitating to the interests of one or more stakeholder groups that it may be considered grossly unfair. Alternatively, a decision may result in an overall net benefit and be fair, but may offend the rights of a stakeholder and therefore be considered not right. For example, deciding not to recall a marginally flawed product may be cost effective, but would not be considered to be right if users could be seriously injured. Similarly, a decision that does not demonstrate the character, integrity, or courage expected will be considered ethically suspect by stakeholders.

A professional CFE can use an assessment of our client organization’s stakeholder ethical concerns in making pro-active recommendations about fraud detection and prevention strategies and in conducting investigations and should be ready to prepare or assist in such assessments for employers or clients just as they currently do in other fraud deterrence related business processes.

Although many hard-numbers-oriented investigators will be wary of becoming involved with the soft risk assessment of management’s tone-at-the-top ethically shaped decisions, they should bear in mind that the world is changing to put a much higher value on the quality and impact of management’s whole governance structure, the posture of which cannot failure to negatively or positively affect the design of the client’s fraud control and prevention programs.

Ambiguous Transactions

As any experienced fraud examiner will be happy to tell you, unambiguously distinguishing individual instances of fraud, waste and abuse, one from the other, can be challenging; that’s because transactions demonstrating characteristics of one of these issues so often share characteristics of the other(s). A spate of recent articles in the trade press confirm the public impression not only that health care costs are constantly rising but that poorly controlled health care provider reimbursement systems represent significant targets of waste and abuse, both within companies themselves and from external bad actors.

While some organizations review their health benefits programs and health administrator organizations annually, others appear to be doing relatively little in this area. Consequently, CFEs are increasingly being asked as audit team members to participate in fraud risk assessments of hearth benefits administration (HBA) programs for corporations, government entities, and nonprofit organizations. As a consequence, ACFE members are increasingly identifying practices that result in recoverable losses as well as losses that were never recovered because some among our client organizations have never effectively audited their health benefit plans.

A good place to start with this type of fraud risk assessment is for the CFE to evaluate the oversight of HBA reporting activities that could identify unidentified losses for the client organization.

Many organizations contract with third-party administrators (TPAs) to oversee their employee insurance claims process, health care provider network, care utilization review, and employee health plan membership functions. In the arena of claims processing, in today’s environment of rising costs, TPAs can make significant claim payment errors that result in financial losses to the CFE’s client organization if such errors are not promptly identified, recovered, and credited back to the plan. Claim overpayments are common in the industry; and most TPAs themselves have audit processes in place to minimize the losses to their clients. Many control assurance professionals incorrectly assume that the claim audit covers all the exposures, as the primary function of claims administration is to pay claims. This misconception can block a true understanding of the nature of the exposures and lessen the client’s sense of the necessity that systematic fraud and waste detection audits of health care claims transactions are performed, both externally and internally.

The trade press recently reported that an administrator for a U.S. federal government health benefit’s health plan changed its method of administering coordination of benefits (COB) from “pursue and pay” to “pay and pursue.” Under “pursue and pay,” the administrator determines who the primary insurance payer is before making payment. Under “pay and pursue,” the administrator pays the insurance claim and pursues a refund only if it itself is determined to be the secondary payer. In this case, the clients were billed for the payment of full benefits, even though they should have been the secondary payers. The financially strapped administrator recovered the overpayments, deposited them into a bank account, and never credited its clients. Following an audit, one of the client plans received a check for $2.3 million for its share of the refunds that were not returned to it. Is this case of apparent deception an example of fraud? Of waste? Or of abuse?

If COB savings had been routinely monitored by each of the plans, along with each client’s other cost containment activities, they would have noticed that the COB savings had fallen off and were next to nothing under “pay and pursue.” When looking at COB, CFEs and client internal auditors should review the provisions of the contract with the administrator to determine who is responsible for identifying other group coverage (OGC), the methodology for investigating OGC, time limitations for recovering overpayments, and the requirements for the reporting of savings to the client organization by the administrator. In conducting their risk assessments, client management and CFEs also should consider the controls over the organization’s oversight of monitoring COB savings and over the other cost containment activities performed by the administrator.

The COB case considered above was intentional deception, but losses also can be unintentional. To recover overpayments, the TPA can use a refund request letter to request refunds from healthcare providers (hospitals, physicians, etc.), or use the provider offset method, which deducts the overpayment from the provider’s next payment. The ACFE has reported one case in which a provider voluntarily returned an overpayment. The administrator’s policy was to return the refund check to the submitting provider with a form to complete including instructions to send the form and the check back to the administrator to initiate a provider offset on the next payment to the provider. No logs were kept of the checks received and returned to the providers. Following an audit, the client found that, because of a lack of training, personnel of its administrator had deposited the returned checks from providers into an administrative holding account. Subsequent to the investigation and administrative staff training, the client’s refund activity increased from almost nothing to more than $1 million a year. Including the monitoring and analyzing of refund activity as a component of the fraud prevention program will unfailingly provide insight into how well claim overpayments are being controlled.

When assessing for fraud risk regarding refund activity for health insurance overpayments, CFEs should pay attention to the collection methods used by the administrator, overpayment amounts and time limitations for recovery, and the use of external vendors and their shared savings on recoveries. Reporting from the administrator should be required to include an analysis of refund activity, the reasons for the refund(s), breakout between solicited and unsolicited refunds, and the balance of outstanding refunds.

Sometimes it cannot be determined whether an organization’s losses are intentional or unintentional. For example, in one review, several organizations contracted with a marketing firm specializing in a new approach to control health-care costs. The marketing firm hired an administrator to process the claims for its clients. After four months with the firm, an alert accountant at one of the organizations questioned why funding requests coming from the marketing firm were running 20 percent higher each month than they had been with the previous administrator. The organization’s finance division requested a review which revealed that the marketing firm had been billing its clients based on claims processed by the administrator, including claims not paid. The firm insisted it had not been aware that the funding requests resulted in client overbilling and agreed to refund the overbilled amounts to the organization.

Monitoring and approving the funding requests against some measure of expected costs can identify when costs should be investigated. When reviewing funding requests, assurance professionals should pay attention to the internal funding approval process, supporting detail provided by the administrator to support the funding, funding limitation controls to identify possible overfunding for follow-up investigation, bank account setup and account access, and the internal funding reconciliation process.

While losses may occur because of the administrator’s practices, losses (waste) also can go undetected because the organization does not perform adequate oversight of the practices used on its accounts. Preferred provider organization (PPO) discounts are common in managed health care plans. When organizations use PPO networks that are independent of the administrator’s contracted network, the PPO networks receive the claim first to reprice it with the negotiated rate. The PPO network generates a repricing sheet, which is sent with the original claim to the administrator for processing and payment.

In one case, no one explained the repricing sheets to the claim examiners, so they ignored them. The claims system automatically priced and loaded the administrator’s network claims with the negotiated rates into the claims system. However, because the client’s external PPO network fees were not in the claims system, the claims were paid at billed charges. The client lost an estimated $750,000 in discounts over a one-year period and was paying 34 percent of the savings to the PPO networks for savings that it never received. The client did not detect the lost discounts because it never reconciled the discounts reported by the PPO’s quarterly billings for its share of the savings to a discount savings as reported by the administrator.

While examining risks regarding discounts, CFE’s auditors should review the administrator’s or independent PPO network’s contracts regarding PPO pricing and access to pricing variation for in-network provider audits, alternative savings arrangements using external vendors for out-of-network providers, and reporting of PPO discount savings. Within their own organizations, auditors should be instructed to review the internal process of monitoring discount reporting and reconcile PPO shared savings to the administrator reporting the discounts.

There are frequent reports on fraud, abuse, and errors in government health programs issued by the U.S. Department of Health and Human Services’ Office of the Inspector General and by the U.S. Government Accountability Office; all these reports can be of use to CFEs in the conduct of our investigations. Because many of our client organization’s health plans mirror government programs, the fraud risk exposure in organizations is almost everywhere the same. Organizations have incurred tremendous losses by not systematically reviewing benefits administration and through lack of understanding of the dynamics of health plan oversight within their organizations. Developing and promoting a team response within an organization to foster understanding of the exposures in the industry is a practical role for all CFEs. This posture puts fraud examiners (as members of the fraud/abuse prevention and response team) in a position to provide management with assurance that the reporting on the millions spent on employees’ health benefits is accurate and reasonable and that associated costs are justified.

The Multi-Purpose Final Report

ACFE training has long told us that a prudently crafted final examination report can have a variety of important uses. As we know, when the fraud investigation has been completed, the investigator writes a formal report. The report itself plus expert opinions and testimony are then used as needed to support the resolution of issues that can relate to a whole host of matters potentially concerning taxes, employment, regulatory reporting, litigation (civil and criminal), and insurance claims.

Because the report can be used for such varied purposes, it should always be constructed under the assumption that it will be challenged in court. This requires that the report meet very high standards; any errors or misstatements in it may be used to undermine the credibility of both the report and of the investigator who wrote it.

Frauds typically result in business losses. For income tax purposes, such losses may be classified as either deductions or offsets to reportable revenues depending on the type of loss and the taxing authority. In cases of misappropriation, almost any type of asset can be fraudulently converted, and in some cases, a valuation expert might be needed to determine the dollar amount of the loss.

In cases of occupational fraud, the financial records can be so damaged from the fraud scheme that an exact determination of the loss is impossible. In such cases, the report may attempt to estimate the loss using any reasonable means available because taxing authorities often permit estimation of losses in cases of destroyed records.

Some occupational fraud schemes result in so much damage to the financial records that the entity will not have enough information to file tax returns. This can happen, for example, if the revenue records are either destroyed or rendered unreliable as a result of fraudulent transactions and journal entries. In such cases, it might be necessary to conduct a major reconstruction of the accounting records before losses can be determined, reliable financial statements can be generated, and tax returns can be filed. In fact, in some cases, the fraud investigator’s report might need to focus on the loss due to destruction of the financial records and leave open the issue of misappropriation pending reconstruction of the financial records. Of course, depending on the scope of the investigation and the available information, the investigator might both reconstruct the financial records and report on any misappropriation losses.

Another tax-related issue involves the embezzlement of funds set aside to pay payroll taxes. The U.S. federal tax system sometimes refers to such funds as trust fund taxes because under tax law, these funds belong to the Internal Revenue Service (IRS) from the moment they are collected. The business and the owners merely serve as trustees in collecting the taxes on behalf of the IRS.

Employers who terminate an employee for committing fraud can eventually battle the employee in litigation. In some cases, the former employee may sue for wrongful termination of employment, defamation, or discrimination. In other cases, an employee who is to be fired might have collective bargaining rights that require an arbitration process with a right of appeal. Fired employees may also attempt to claim government unemployment compensation benefits.

As a general rule, employees who are fired for serious misconduct (e.g., fraud) are not entitled to benefits. However, employees may argue that their termination was not deserved and may request a hearing to argue their side of the story. If this occurs, a fraud investigation report could serve as important evidence.

Whether a fired employee receives unemployment benefits may be important in determining the amount the company is required to pay for unemployment insurance. As a result, an employer who routinely fires employees runs the risk of incurring considerable increases in the cost of unemployment insurance. To make things even worse, if a fired employee was the one in charge of making unemployment insurance contributions but did not make them on time, a penalty rate of 150 percent could be applied to the employer’s future contributions. The exact consequences depend on the particular state involved because rules for unemployment insurance for state and federal governments differ. As a result of the possible tax and legal consequences as well as of possibly embarrassing publicity, employers are frequently reluctant to fire dishonest employees. Instead, they do things to encourage dishonest employees to leave voluntarily after taking measures to prevent them from continuing the fraud. In some cases, employers actually give dishonest employees favorable recommendations for future jobs.

Sometimes, a fraud investigation report may trigger mandatory reporting of the fraud to a government agency. For example, §1233.3 (a) of Title 12 (Banks and Banking) of the U.S. Electronic Code of Federal Regulations states the following:

‘A regulated entity shall submit to the Director a timely written report upon discovery by the regulated entity that it has purchased or sold a fraudulent loan or financial instrument, or suspects a possible fraud relating to the purchase or sale of any loan or financial instrument.’

A fraud investigation report can sometimes be more helpful in ruling out fraud than in ruling it in. For example, a report might read, “A detailed examination of the financial records did not reveal any intentional irregularities or evidence of fraud or misappropriation.” On the other hand, when there is fraud, the report might read something like, “There was a series of irregular computerized journal entries made in the accounts receivables ledgers and corresponding shortages in the cash account. The employee in charge of the computerized journal entries left the company before this investigation began and was not available for an interview. The owner states that only she and the former employee had access to the journal in question.”

The wording in this report suggests that the former employee may have embezzled funds from collections on account by making irregular journal entries. But the report cannot guarantee that s/he did so, nor can it definitively conclude that a fraud occurred. As a general rule in advance of an occupational fraud investigation, interested parties should not assume that the investigation will result in a report that gives a definitive answer to whether a fraud occurred. A more reasonable outcome is a report that identifies missed or damaging records or missing assets.

Fraud reports can be very helpful in both criminal and civil litigation. However, they can be less than satisfying in trying to persuade authorities to prosecute a suspect. What happens too often is that police or prosecutors browse through a fraud investigation report looking for a clear statement that identifies the guilty person. But, of course, such statements don’t appear in independent fraud investigation reports written by CFEs.

In many cases, a fraud investigation report is enough to at least persuade authorities to look at a case, especially with the hope of getting a quick confession. But if the suspect denies everything or lawyers up, law enforcement quickly realizes that they will need to hire a forensic accountant (because it is unlikely that they have one of their own) and will be forced to try to understand what they consider to be arcane and obscure accounting concepts.

The saying in law enforcement circles (as with the news media) is “if it bleeds, it leads.” In a metropolitan area, police quickly send a dozen squad cars, a SWAT team, and a helicopter to pursue someone who robs a liquor store of $100 with a penknife. But the same police respond with glassy eyes if the owner of the same liquor store reports that his accountant has robbed the business of $100,000 using a computer to manipulate the accounting records.

Although it does happen, most victims do not sue their fraudsters, primarily because fraudsters are typically judgment proof, meaning they do not have sufficient assets to repay their victims. However, criminal courts can and do order restitution, which can provide a strong motive for the victim to prosecute the perpetrator. In some jurisdictions, courts order convicted fraudsters to make regular restitution payments directly to the court, which then distributes them to the victim.

Finally, many companies have insurance with coverage for losses related to fraud. This coverage can include losses such as those due to the costs of preparing a proof of loss, losses due to embezzlement, losses of valuable papers and records, and loss of income. Independent fraud investigation reports can be very helpful in supporting insurance claims. Furthermore, one nice thing about embezzlement coverage is that some polices are written so that it is necessary only to prove that a loss has occurred, not who the guilty party is. The usefulness of a fraud investigation report with respect to losses of valuable papers and records, and loss of income, depends on the scope of the investigation. In many cases, the scope does not include determining the amount of losses of income or damage to valuable papers and records.

Analytic Reinforcements

Rumbi’s post of last week on ransomware got me thinking on a long drive back from Washington about what an excellent tool the AICPA’s new Cybersecurity Risk Management Reporting Framework is, not only for CPAs but for CFEs as well as for all our client organizations. As the seemingly relentless wave of cyberattacks continues with no sign of let up, organizations are under intense pressure from key stakeholders and regulators to implement and enhance their cyber security and fraud prevention programs to protect customers, employees and all the types of valuable information in their possession.

According to research from the ACFE, the average total cost per company, per event of a data breach is $3.62 million. Initial damage estimates of a single breach, while often staggering, may not take into account less obvious and often undetectable threats such as the theft of intellectual property, espionage, destruction of data, attacks on core operations or attempts to disable critical infrastructure. These effects can knock on for years and have devastating financial, operational and brand impact ramifications.

Given the present broad regulatory pressures to tighten cyber security controls and the visibility surrounding cyberrisk, a number of proposed regulations focused on improving cyber security risk management programs have been introduced in the United States over the past few years by our various governing bodies. One of the more prominent is a regulation by the New York Department of Financial Services (NYDFS) that prescribes certain minimum cyber security standards for those entities regulated by the NYDFS. Based on an entity’s risk assessment, the NYDFS law has specific requirements around data encryption and including data protection and retention, third-party information security, application security, incident response and breach notification, board reporting, and required annual re-certifications.

However, organizations continue to report to the ACFE regarding their struggle to systematically report to stakeholders on the overall effectiveness of their cyber security risk management programs. In response, the AICPA in April of last year released a new cyber security risk management reporting framework intended to help organizations expand cyberrisk reporting to a broad range of internal and external users, to include management and the board of directors. The AICPA’s new reporting framework is designed to address the need for greater stakeholder transparency by providing in-depth, easily consumable information about the state of an organization’s cyberrisk management program. The cyber security risk management examination uses an independent, objective reporting approach and employs broader and more flexible criteria. For example, it allows for the selection and utilization of any control framework considered suitable and available in establishing the entity’s basic cyber security objectives and in developing and maintaining controls within the entity’s cyber security risk management program irregardless of whether the standard is the US National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, the International Organization for standardization (ISO)’s ISO 27001/2 and related frameworks, or even an internally developed framework based on a combination of sources. The examination is voluntary, and applies to all types of entities, but should be considered by CFEs as a leading practice that provides management, boards and other key stakeholders with clear insight into the current state of an organization’s cyber security program while identifying gaps or pitfalls that leave organizations vulnerable to cyber fraud and other intrusions.

What stakeholders might benefit from a client organization’s cyber security risk management examination report? Clearly, we CFEs as we go about our routine fraud risk assessments; but such a report, most importantly, can be vital in helping an organization’s board of directors establish appropriate oversight of a company’s cyber security risk program and credibly communicate its effectiveness to stakeholders, including investors, analysts, customers, business partners and regulators. By leveraging this information, boards can challenge management’s assertions around the effectiveness of their cyberrisk management and fraud prevention programs and drive more effective decision making. Active involvement and oversight from the board can help ensure that an organization is paying adequate attention to cyberrisk management and displaying due diligence. The board can help shape expectations for reporting on cyberthreats while also advocating for greater transparency and assurance around the effectiveness of the program.

The cyber security risk management report in its initial and follow-up iterations can be invaluable in providing overview guidance to CFEs and forensic accountants in targeting both fraud prevention and fraud detection/investigative analytics. We know from our ACFE training that data analytics need to be fully integrated into the investigative process. Ensuring that data analytics are embedded in the detection/investigative process requires support from all levels, starting with the managing CFE. It will be an easier, more coherent process for management to support such a process if management is already supporting cyber security risk management reporting. Management will also have an easier time reinforcing the use of analytics generally, although the data analytics function supporting fraud examination will still have to market its services, team leaders will still be challenged by management, and team members will still have to be trained to effectively employ the newer analytical tools.

The presence of a robust cyber security risk management reporting process should also prove of assistance to the lead CFE in establishing goals for the implementation and use of data analytics in every investigation, and these goals should be communicated to the entire investigative team. It should be made clear to every level of the client organization that data analytics will support the investigative planning process for every detected fraud. The identification of business processes, IT systems, data sources, and potential analytic routines should be discussed and considered not only during planning, but also throughout every stage of the entire investigative engagement. Key in obtaining the buy-in of all is to include investigative team members in identifying areas or tests that the analytics group will target in support of the field work. Initially, it will be important to highlight success stories and educate managers and team leaders about what is possible. Improving on the traditional investigative approach of document review, interviewing, transaction review, etc. investigators can benefit from the implementation of data analytics to allow for more precise identification of the control deficiencies, instances of noncompliance with policies and procedures, and mis-assessment of areas of high risk that contributed to the development of the fraud in the first place. These same analytics can then be used to ensure that appropriate post-fraud management follow-up has occurred by elevating the identified deficiencies to the cyber security risk management reporting process and by implementing enhanced fraud prevention procedures in areas of higher fraud risk. This process would be especially useful in responding to and following up data breaches.

Once patterns are gathered and centralized, analytics can be employed to measure the frequency of occurrence, the bit sizes, the quantity of files executed and average time of use. The math involved allows an examiner to grasp the big picture. Individuals, including examiners, are normally overwhelmed by the sheer volume of information, but automation of pattern recognizing techniques makes big data a tractable investigative resource. The larger the sample size, the easier it is to determine patterns of normal and abnormal behavior. Network haystacks are bombarded by algorithms that can notify the CFE information archeologist about the probes of an insider threat for example.

Without analytics, enterprise-level fraud examination and risk assessment is a diminished discipline, limited in scope and effectiveness. Without an educated investigative workforce, armed with a programing language for automation and an accompanying data-mining philosophy and skill set, the control needs of management leaders at the enterprise level will go unmet; leaders will not have the data needed for fraud prevention on a large scale nor a workforce that is capable of getting them that data in the emergency following a breach or penetration.

The beauty of analytics, from a security and fraud prevention perspective, is that it allows the investigative efforts of the CFE to align with the critical functions of corporate business. It can be used to discover recurring risks, incidents and common trends that might otherwise have been missed. Establishing numerical baselines on quantified data can supplement a normal investigator’s tasks and enhance the auditor’s ability to see beneath the surface of what is presented in an examination. Good communication of analyzed data gives decision makers a better view of their systems through a holistic approach, which can aid in the creation of enterprise-level goals. Analytics and data mining always add dimension and depth to the CFE’s examination process at the enterprise level and dovetail with and are supported beautifully by the AICPA’s cyber security risk management reporting initiative.

CFEs should encourage the staffs of client analytics support functions to possess …

–understanding of the employing enterprise’s data concepts (data elements, record types, database types, and data file formats).
–understanding of logical and physical database structures.
–the ability to communicate effectively with IT and related functions to achieve efficient data acquisition and analysis.
–the ability to perform ad hoc data analysis as required to meet specific fraud examiner and fraud prevention objectives.
–the ability to design, build, and maintain well-documented, ongoing automated data analysis routines.
–the ability to provide consultative assistance to others who are involved in the application of analytics.