Category Archives: Anti-Fraud Policy

Working Toward Non-Prosecution

A recent major article in the financial trade press alluded to the importance of the U.S. Foreign Corrupt Practices Act as a piece of US government regulation of which it behooves all fraud examiners to be aware. The reference got me to thinking about the confusion that still persists regarding certain provisions of the Act among corporate players as reported in the article in question following several high profile prosecutions. Enacted to great fanfare in 1977, the purpose of the FCPA was to prevent the bribery by the agents of US corporations of foreign government officials when those agents were negotiating overseas contracts. The FCPA imposes heavy fines and penalties for both organizations and individuals. The two major provisions address: 1) bribery violations and 2) improper corporate books and records as well as maintenance of inadequate internal controls. Methods of enforcement and interpretation of the law in the US have continued to evolve to the present day.

From the first, the FCPA spawned questions of definition and interpretation for those trying to comply, i.e., who is a “foreign official?” What is the difference between a “facilitation” payment and a bribe? Who is considered a third party? How does the government define “adequate” internal controls to detect and deter bribery and corruption?

The United Kingdom enacted its UK Bribery Act in July 2010 which really represented the first real attempt at an anti-bribery law to address some of these issues. The UK Bribery Act introduced the concept of “adequate procedures”, that if followed could allow affirmative defense for an organization under investigation for bribery. The UK Bribery Act recommended several internal controls for combating bribery and offered the incentive of a more favorable result for those who could document compliance. Among the controls:

• Establish anti-bribery procedures;
• A top corporate level commitment to prevent bribery;
• Periodic and documented risk assessments;
• Proportionate due diligence;
• Communication of bribery prevention policies and procedures to all involved parties to corporate transactions;
• Monitoring of anti-bribery procedures.

The concept of an affirmative defense for adequate procedures creates quite a contrast to the US FCPA which only offers affirmative defense for payments of bona fide expenses or small gifts within the legal limits of the foreign countries involved. The UK Bribery Act simply equates all facilitation and influence payments to bribery, thus eliminating much confusion. Finally, the UK Bribery Act dealt with the problem of defining a foreign official by making it illegal to bribe anyone regardless of government affiliation. Several countries such as Russia, Canada and Brazil have enacted or updated their anti-bribery regulations to parallel the guidelines presented in the UK Bribery Act. The key to the effectiveness remains enforcement.

Then, in 2010, the US Department of Justice and the Securities Exchange Commission released a guide book introducing several hallmarks of an effective FCPA compliance program. The publication of the guidebook is a development which, according to the article I was reading, many auditors and CFE’s remain unaware, even today. The Resource Guide provides our client companies with the tools to demonstrate a proactive approach to the deterrence of bribery and corruption. Companies found out of compliance may receive some consideration during the fines and penalty stage of their cases.

The guidebook recommends that companies doing business overseas:
• Establish a code of conduct that specifically addresses the risk of bribery and corruption;
• Set the tone by designating a Chief Compliance Officer to oversee all anti-bribery and anti-corruption activities;
• Train all employees to be thoroughly prepared to address bribery and corruption risk and document that the training took place;
• Perform fraud risk assessments of potential bribery and corruption pitfalls by country and industry;
• Review the anti-corruption program annually to assess the effectiveness of policies, procedures and controls;
• Perform audits (routine and surprise) and monitor foreign business operations to assure strict compliance with the published code of conduct;
• Ensure proper legal contractual terms exist within agreements with third parties that address compliance with anti-bribery and corruption laws and regulations;
• Investigate and respond promptly and appropriately to all allegations of bribery and corruption;
• Take proper disciplinary action for violations of anti-bribery and corruption laws and regulations;
• Perform adequate due diligence that addresses the risk of bribery and corruption performed by third parties prior to entering into any business relationship.

Fraud examiners should make their clients aware that a company which can provide evidence of compliance with these recommendations is afforded many advantages if they’re ever charged with a violation of the Act. Among them is a Deferred Prosecution Agreement (DPA). Under a Deferred Prosecution Agreement the Department of Justice files a court document charging the organization while simultaneously requesting that prosecution be deferred in order to allow the company to demonstrate good conduct going forward. The DPA is an agreement by the organization to: cooperate with the government, accept the factual findings of the investigation, and admit culpability if so warranted. Additionally, companies may be directed to participate in compliance and remediation efforts, e.g., a court-appointed monitor. If the company completes the term of the DPA the DOJ will dismiss the charges without imposing fines and penalties!

The DOJ and the company may alternatively even enter into a Non-Prosecution Agreement. Under such an agreement the DOJ retains the right to file charges against the organization at a later time should the organization fail to comply. The NPA is not filed with the courts but is maintained by both the DOJ and the company and posted on the DOJ website. Similar to the DPA, the organization agrees to monetary penalties, ongoing cooperation, admission to relevant facts, as well as compliance and remediation of policies, procedures and controls. If the company complies with the agreement, the DOJ will, again, drop all charges.

The good news is that, since publication of the guidebook, corporate compliance programs have continued to mature, and are now generally accepted as just another cost of conducting business in a global marketplace. The US government is continuing to clarify expectations with regard to corporate responsibility at home and abroad, and working with international partners and their compliance programs.

Increased cooperation between the public and private sectors to address these issues will assist in leveling the playing field in the global marketplace. Non-government and civil society organizations, i.e. World Bank and Transparency International, are playing a key role in this effort. These organizations set standards, apply pressure on foreign governments to enact stricter anti-bribery and corruption laws, and enforce those laws. Coordination and cooperation among government, business and civil entities, reduce the incidences of bribery and corruption and increase opportunities for companies to compete fairly and ethically in the global marketplace. Hence, every fraud examiner and assurance professional should strongly support these efforts while strongly encouraging our clients to become familiar with and comply with the provisions of the recently updated 2010 guidebook.

You Are Your Report

The ACFE tells us that organizing and writing the final fraud investigation report is one of the most challenging tasks that CFE’s report routinely performing in connection with their examinations. Thus, the whole process of communicating the results of our investigations is, and must be, an integral part of any CFE’s practice. As I’m sure every reader of this blog knows, any communication can be challenging, even when the news being delivered is positive, but when the news to be delivered is negative (e.g., analyzing the facts of an embezzlement or presenting the results of an investigation of a complex management fraud), the job of delivering it can be super stressful. In such situations, the CFE’s ability to communicate takes on increased importance. An organized, thoughtful approach can make that task easier and more constructive for all concerned. Therefore, in my opinion, practitioners would do well to apply some key steps to any kind effective communication.

We can take some comfort in realization of the fact that the responsibility for delivering bad news is certainly not unique to fraud examiners. Professionals of all disciplines have developed protocols for communicating news perceived to be negative. These protocols are generally built on the keys to effective information transfer common to all types of communication and stress the importance of having a plan. Where they differ from the general communication guidance with which assurance professionals may already be familiar is their emphasis on specific keys that are particularly helpful in face-to-face meetings and situations requiring investigators to deliver negative news. One such protocol exists under a variety of names but is most frequently dubbed the “ABCDE” mnemonic. Let’s go through the letters of the mnemonic one by one.

The “A” stands for advanced planning. Advance preparation is an especially important element of effectively communicating bad news. It should go without having to be said that CFE’s can avoid wasted time and potentially embarrassing mistakes by having a solid grasp of the facts before delivering any of their findings to others. This includes carefully reviewing findings and confirming their understanding of critical issues well in advance of any reporting. Although fraud examiners often are sometimes familiar with their audience as the result of past interactions (especially if they’re employed by an attorney or an investigative firm), it’s always helpful to gather background information about the target audience of the findings, their level of involvement with and understanding of the issue, and their communication styles so the CFE can tailor the report and/ or related meeting accordingly. Examiners also may consider visualizing the point of view they expect the audience will have regarding the issue in question, because this will likely guide their reactions and questions. And as always, practice makes perfect. It’s better to work out any bugs alone or with a colleague (if you’re lucky enough to have one) than in the midst of a highly charged meeting with attorneys and management present.

“B” addresses the protocol process of building the environment and is especially relevant to face to face presentations of the report. The setting for the meeting also is an important factor, as it should allow the examiner to maintain control over the meeting’s direction. Optimally, the meeting should occur in a place that’s private, where the participants are not distracted, and where interruptions are kept to a minimum. These factors may not be as difficult to control in the case of meetings with an audit committee or in your employing attorney’s office which generally occur in a private conference room, but examiners should consider the practical complications that can arise when meeting with a client manager in his or her office. Distractions created by telephones, e-mail, employees coming and going, or the possibility of being overheard can limit meeting productivity. With this in mind, CFE’s should try to schedule the meeting at a time and place where the participants can devote their full attention to the challenging issues at hand.

Communicating well is the “C” in our mnemonic. To try always to employ direct, clear language to communicate bad news, while still being sensitive to the audience’s feelings, is an imperative skill for investigators to possess. Although it’s sometimes tempting to temper an issue or to use euphemisms to try to soften the blow, that approach can add confusion, and ultimately, only delay the inevitable. A straightforward, honest delivery of the facts is generally the best policy and is, after all, what we’re being paid to do. Never lose sight of the fact that some words (e.g., scam and scheme) are emotionally charged and may elicit negative reactions from the audience. Instead, words such as “suspected scenario”, or “suspected irregularity” better convey the message without unnecessarily offending anyone. Striking the right balance between directness and sensitivity can be difficult, but it’s critical to the successful delivery of bad news. Providing the audience with specific examples from her report can help clarify the CFE’s message without the need for personal, un-objective, or emotion laden words. We know from many ACFE publications and training courses that the majority of communication comes from body language, facial expressions, eye contact, and tone of voice. As fraud examiners and forensic accountants, we need to be aware of these nonverbal cues and keep them in check so they do not undermine delivery of our results. An important and often overlooked aspect of good communication is ensuring that the message sent equals the message received. Remember the old politician’s maxim; “Tell them. Tell them what your said. Tell them again”! It’s important, particularly in the case of bad news, for the examiner to verify that the audience fully understands the message being delivered, both its content and seriousness. Eliciting feedback from the audience will give the CFE an opportunity to confirm what they heard and will enable her to clear up any miscommunication immediately.

Dealing with reactions is the “D” in our mnemonic. As we all know, in the case of fraud reports, there will always be reactions. It’s inevitable, and healthy, that the audience will have questions and want you, the examiner, to provide actual transactions and/or evidence supporting the report findings. CFE’s should be prepared, based on “A” their advanced preparation, to anticipate questions and by gathering supporting documentation in advance, to provide these items during the meeting. Examiners should also expect audience members to offer their own responses or explanations to counter the report findings. Because emotions will be running high, these responses may take the form of a personal attack on the examiner, but s/he must take care not to react defensively or place blame. Above all, we CFE’s must keep in mind that our role is to communicate factual information so that appropriate due diligence can be taken and never to in any way speculate as to guilt or offer value judgments; stick to the facts which will always speak for themselves far more eloquently than you can.

It’s important for management and counsel to identify the immediate impact of the bad news. For example, does this apparent instance of fraud as revealed by the fraud report have immediate regulatory ramifications? Does this situation result in the need for a restatement of financial statements? Should we move forward immediately with terminations or prosecution? The fear of unknown consequences can make bad news seem even worse. By doing some advance research to help address these types of questions, the CFE can make a valuable contribution to the organization by helping to at least begin to define the extent of the unknown. Once the immediate impact has been assessed, the next logical step will be to develop a long-term plan for fixing or mitigating the control problem. Because of the examiner’s familiarity with the mechanics of the underlying issue confronting management and counsel, s/he is in an excellent position to work with other assurance professionals to provide alternatives or suggestions for remediation and for the eventual strengthening of the client’s fraud prevention program. Examiners should be sure to emphasize their willingness to provide additional information or assistance as needed as we assist management and others to arrange the timetable for following up on the results of our investigations.

It’s a Reputation Thing

According to the ACFE presenter at one of our live events, 6.4 percent of worldwide fraud cases occur in the education sector, which represents the fifth most-targeted industry by fraudsters out of 23 reported by members of the ACFE. And the three most frequent fraud schemes reported as perpetrated in the education sector are billing schemes, fraudulent expense reimbursements and corruption schemes. Most of the reporting CFE’s also seem to agree that nonprofit institutions’ greatest fraud related challenge is mitigating reputational risk. Good faculty members and students won’t join fraudulent universities. Governments and donors won’t financially contribute to organizations they don’t trust.

Thus, institutions of higher learning aren’t anymore immune to fraud than any other large organization. However, the probability of occurrence of fraud risks may be somewhat higher in colleges and universities because of their promoted environment of collegiality, which may lead to more decentralization and a consequent lack of basic internal controls. Federal and state governments, as well as donors, have increased the pressure on universities to implement better governance practices and on their boards of governors to exercise their fiduciary responsibilities more efficiently.

Which brought our speaker to the issue of regular risk assessments, but tailored specifically to the unique needs of the educational environment. Colleges and universities around the world should be actively encouraged by their governing boards and counsels to perform regular fraud risk assessments and vigorously implement and enforce compliance with targeted internal controls, such as proper segregation of duties and surprise audits. Of course, as with all organizations, universities can prevent fraud by segregating a task of requesting a financial transaction from those of approving it, processing the payment, reconciling the transaction to the appropriate accounts and safeguarding the involved asset(s). Surprise audits should be just that: unannounced supervisory reviews. This creates not just an atmosphere of collegiality and support but one in which the perceived opportunity to commit fraud is lowered.

As I’ve indicated again and again in the pages of this blog, the most powerful fraud prevention measure any organization can take is the education of its staff, top to bottom. Educating faculty, staff members and students about the university’s ethics (or anti-fraud) policies is important not only to prevent fraud but to preserve the institution’s reputation. It’s also important to develop ethics policies carefully and implement them in accordance with the particular culture and character of the institution.

Culturally, universities, like most nonprofit educational institutions, don’t like heavy-handed policies, or controls, because faculty members perceive them as impediments to their research and teaching activities. After going through an appropriate anti-fraud training program, every employee and faculty member (many higher-education institutions actually view faculty above the instructor level as quasi-independent contractors) should come to understand the nature and role of internal controls as well as the negative consequences associated with fraud.

University administrators, faculty and staff members can be motivated to prevent fraud on a basis of self-interest because its occurrence might affect their chances of promotions and salary increases and tarnish the external reputation of the university, which could then affect its financial situation and, hence, their individual prospects.

ACFE training tells us that organizational administrators who don’t get honest feedback and don’t hear and address fraud tips quickly can get in trouble politically, legally and strategically. All universities should implement user-friendly reporting mechanisms that allow anyone to anonymously report fraud and irregular activities plus deliver healthy feedback on leadership’s strengths and weaknesses. This will keep direct lines of communication open among all employees and senior university administrators. These tools will not only strengthen the fight against fraud but also advance the university’s strategic mission and refine senior administrators’ leadership styles. You can’t manage something you can’t see. Such tried and true mechanisms as independent internal audit departments and/or involved audit committees, should provide effective oversight of reporting mechanisms.

Still, many universities still resist pressure from their external stakeholders to implement hotlines because of concern they might create climates of mistrust among faculty members. Faculty members’ tendency to resist any effort to have their work examined and questioned may explain this resistance. Necessary cultural changes take some time, but educational institutions can achieve them with anti-fraud training and a substantial dose of ethical leadership and tone at the top.

From a legal perspective, colleges and universities, like any other nonprofit organization, must proactively demonstrate due diligence by adopting measures to prevent fraud and damage to their individual reputations. They’re also financially and ethically indebted to governments and donors to educate tomorrow’s leaders by demonstrating their ability to ensure that their internal policies and practices are sound.

Senior university administrators also must be able to show that they investigate all credible allegations of fraud. In addition, independent, professional and confidential fraud investigations conducted by you, the CFE, allow a victim university and its senior administrators to:

— determine the exact sources of losses and hopefully identify the perpetrator(s);
— potentially recover some or all of financial damages;
— collect evidence for potential criminal or civil lawsuits;
— avoid possible discrimination charges from terminated employees;
— identify internal control weaknesses and address them;
— reduce future losses and meet budget targets;
— comply with legal requirements such as senior administrators’ fiduciary duties of loyalty and reasonable care;
— reduce imputed university liability which may result from employee misconduct;

As CFE’s we should encourage client universities to adequately train and sensitize administrators, faculty and staff members about their ethics policies and the general problems related to occupational fraud in general. Administrators should also consider implementation of anonymous reporting programs and feedback processes among all stakeholders and among the senior administration. They should perform regular fraud risk assessments and implement targeted internal controls, such as proper segregation of duties and conflict-of-interest disclosures. Senior administrators should lead by example and adopt irreproachable behaviors at all times (tone at the top). Finally, faculty members’ job incentives should be aligned with the university’s mission and goals to avoid dysfunctional and illegal practices. All easier said than done, but, as a profession, let’s encourage them to do it when we have the chance!

Better Call Saul

As reported so often in the press these last few years, even when well-intentioned employees feel they’re doing the right thing by reporting acts of wrongdoing, their reports aren’t always well received. Numerous studies conducted by the ACFE strikingly bear this out.  And this is so much the case that any employee (public or private) who witnesses acts of wrongdoing and decides to report them is well advised to seek legal counsel before doing so.  When a whistle-blower also happens to be a CFE, the same advice applies. Every CFE should learn just when, where, and how to report fraudulent acts before blowing the whistle, if only so they can comply with the often complex procedures required to receive any available protections against retaliation.

All the U.S. states have laws to protect public sector employees from retaliation for whistle-blowing. Indeed, most of the state whistle-blowing laws were enacted specifically to actively encourage public sector employees to report fraud, waste, and abuse both in and without government agencies. Some state laws protect only public employees; others include government contractors and private-sector employees as well.  Many of the laws protecting private sector employees involve workplace safety. They were designed and enacted decades ago to protect employees from retaliation when reporting occupational safety issues. Public and private employees can use them, but they might not apply in all situations. Over the years, reporting in some other specific situations has also received protection.

Facts to keep in mind. Whistle-blowing, as it relates to fraud, is the act of reporting fraud, waste, and abuse. Reporting any act of wrongdoing is considered whistle-blowing, regardless if it’s reported by a public or private employee or to persons inside or outside of the victim organization.  Anyone can report wrongdoing, but the subsequent level of protection against retaliation an employee will receive will differ depending on whether they’re public or private, to whom they report, the manner in which they report, the type of wrongdoing they report, and the law(s) under which they report.  The ACFE tells us that a majority of unprotected whistle-blowers end up being terminated.  Among those unterminated, some are suspended, some transferred against their wishes and some are given poor performance evaluations, demoted or harassed.  To address their situation, some choose recourse to the courts.  The rub here is that to prevail, the employee will probably have to link their whistleblowing directly to the retaliation. This can be difficult for the employee experiencing any kind of current problem in the workplace because employers will claim their adverse personnel actions were based on the employees’ poor performance and not on the employees’ decision to blow the whistle. It’s especially easy for employers to assert this claim if the person who conducted the retaliation claims no knowledge of the whistle-blowing, which is very frequently the case.

Additionally, many whistle-blowers lose their cases because they didn’t comply with some technicality in the laws. Protection laws are very specific on how whistle-blowers must report the wrongdoing. Failing to comply with any aspect of the law will result in a loss of protection. Some examples:

  • Subject Matter Jurisdiction – the court must have the power to hear the kind of issue in the whistle-blower’s suit. Subject matter jurisdiction is based on the law the whistle-blower plans to use. Generally speaking, federal courts hear violations of federal laws and state courts hear violations of state laws, although this isn’t always the case. Employees can file alleged violations of their civil rights in state or federal courts under Section 1983 of Title 42 of the U.S. Code of

Federal Regulations. While rarely used in the past, today Section 1983 is part of the Civil Rights Act and the primary means of enforcing all Constitutional rights. Subject Matter Jurisdiction can help employees decide to file in federal or state court. Of course, the employer might ask to have the case moved to another court.

  • Personal Jurisdiction – the employee should make sure the court has power over the party s/he wants to sue. A court must have personal jurisdiction over the defendant to hear a case. Courts usually have personal jurisdiction over the people and organizations residing or doing business in their jurisdiction.
  • Venue – venue refers to the court that will hear the employee’s case. The proper venue is the jurisdiction in which the defendant lives or does business, where the contract was signed or carried out, or the incident took place. More than one court can have jurisdiction over the case. The employee should pick the venue most convenient for her.

As I said above, most whistle-blower laws were written and are intended to protect public-sector employees who report violations affecting public health and safety. Proving public interest is easy for public-sector employees because their work involves public protection. It’s not as easy for private-sector employees.  A goodly percentage of private-sector whistle-blowers lose their cases because the matters didn’t involve public policy.   Whistle-blowers can improve their chances of success by preparing early and reading the whistle-blowing laws of their state of jurisdiction. The case law is also important because it shows the precedent already set by the courts. The better prepared the employee is, the less likely s/he will make avoidable mistakes.  An evolving issue is the extent to which whistle-blowers must be certain of violations. Many laws already require the employee to state the specific law that was broken. Some courts require whistle-blowers to be certain of their allegations. Trends requiring certainty will make it increasingly difficult for whistle-blowers to receive protection.

As a final point.  A goodly percentage of whistle-blowers fail to achieve protection each year because of their own improper conduct. Some of these whistle-blowers misused their employers’ property; some of them stole it. Employees must ensure their conduct is above scrutiny because some courts will apply the “doctrine of unclean hands” and bar whistle-blowers from protection, if they’ve engaged in misconduct directly related to their complaints. The doctrine of unclean hands can work against employers, just as it does employees. In Virginia not too long ago, a Medicaid provider submitted documents containing incorrect claims information to the court. The whistle-blower proved the information was false and won his case on those grounds alone. Thus, it’s important for employers and employees to comport themselves with integrity.

Whistle-blowers who commit unlawful acts to advance their cases don’t do well in court, but neither do whistle-blowers who refuse to commit unlawful acts on behalf of their employers. Most state whistle-blower laws are designed to protect employees that refuse to commit unlawful acts, but it can be difficult to receive even that protection.

All this by way of saying that the laws governing whistle-blower protection are many and varied.  As fraud examiners and auditors it behooves us to be as familiar with these laws in the jurisdictions in which we practice as we reasonably can be.  But always, when confronted with such cases, always consult counsel.  As my father told me so long ago, the man or women who acts as their own attorney has a fool for a client.

The Know It All

As fraud examiners intimately concerned with the general on-going state of health of fraud management and response systems, we find ourselves constantly looking at the integrity of the data that’s truly the life blood of today’s client organizations.  We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data vulnerabilities to a minimum.   Every little bit of critical information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture. 

When it comes to managing its client, financial and payment data, almost every organization has a Pauline.  Pauline’s the person everyone goes to get the answers about data, and the state of the system(s) that process it, that no one else in her unit ever seems to have.  That’s because Pauline is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance.  Pauline is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees.   The great recession of past memory where enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices only exacerbated a still existing, ever growing trend.  The very real threat to the fraud management system that the Pauline’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever present possibility) but that they will retire or get another job out of state, taking their vital knowledge of the company systems and data with them. 

The day after Pauline’s retirement party and, to an increasing degree thereafter, it will dawn on  Pauline’s unit management that it’s lost a large amount of valuable information about the true state of its data and financial processing system(s), of its total lack of a large amount of system critical data documentation that’s been carried around nowhere but in Jane’s head.  The point is that, for some organizations, their reliance on a few key employees for day to day, operationally related information on their data goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their fraud prevention system.  Today’s newspapers and the internet are full of stories about data breeches, only reinforcing the importance of vulnerable data and of its documentation to the on-going operational viability of our client organizations. 

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of that change related information is ever formally documented.  Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily the ones involved in everyday, routine data management projects.  There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them.  The anomalies might be in the form of missing data, changes in data field definitions, or change in the content of the fields; the possibilities are endless.  Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management systems and for the overall fraud risk assessment process itself become almost impossible to determine.   

If our auditor or fraud examiner, operating under today’s typical budget or time constraints,  is not very thorough and misses even finding some of these anomalies, they can end up never being addressed.   How many times as an analyst have you tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah.  Pauline made that change back in February before she retired; we don’t have too many details on it.”  In other words, undocumented changes to transactions and data, details of which are now only existent in Pauline’s head.  When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of overall fraud management.  The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high.  What can’t be seen, can’t ever be managed or even explained. 

It’s truly humbling for any practitioner to experience how much critical financial information resides in the fading (or absent) memories of past or present key employees.  As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent transaction related documentation and the sharing of knowledge on a consistent basis for all systems but especially in matters involving changes to critical financial systems.  One nice benefit of this approach, which I brought to the attention of one of my clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than constantly serving as the encyclopedia for the rest of the operational staff. 

Matching SOCS

I was chatting with the soon-to-be-retired information systems director of a major Richmond insurance company several nights ago at the gym. Our friendship goes back many years to when we were both audit directors for the Virginia State Auditor of Public Accounts. My friend was commenting, among other things, on the confusing flood of regulatory changes that’s swept over his industry in recent years relating to Service Organization Controls (SOC) reports. Since SOC reports can be important tools for fraud examiners, I thought they might be an interesting topic for a post.

Briefly, SOC reports are a group of internal control assurance reports, performed by independent reviewers, of IT organizations providing a range of computer based operational services, usually to multiple client corporations. The core idea of a SOC report is to have one or a series of reviews conducted of the internal controls related to financial reporting of the service organization and to then make versions of these reports available to the independent auditors of all the service organization’s user clients; in this way the service organization doesn’t have to be separately and repeatedly audited by the auditors of each of its separate clients, thereby avoiding much duplication of effort and expense on all sides.

In 2009 the International Auditing and Assurance Standards Board (IAASB) issued a new International Standard on Assurance Engagements: ‘ISAE 3402 Assurance Reports on Controls in a Service Organization’. The AICPA followed shortly thereafter with a revision of its own Statement on Auditing Standards (SAS) No. 70, guidance around the performance of third party service organization reports, releasing Statement on Standards for Attestation Engagement (SSAE) 16, ‘Reporting on Controls in a Service Organization’. So how does the SOC process work?

My friend’s insurance company (let’s call it Richmond Mutual) outsources (along with a number of companion companies) its claims processing functions to Fiscal Agent, Ltd. Richmond Mutual is the user organization and Fiscal Agent, Ltd is the service organization. To ensure that all the claims are processed and adequate internal controls are in place and functioning at the service organization, Richmond Mutual could appoint an independent CPA or service auditor to examine and report on the service organization’s controls. In the case of Richmond Mutual, however, the service organization itself, Fiscal Agent, Ltd, obtains the SOC report by appointing an independent service auditor to perform the audit and provide it with a SOC 1 report. A SOC 1 report provides assurance on the business processes that support internal controls over financial reporting and is, consequently, of interest to fraud examiners as, for example, an element to consider in structuring the fraud risk assessment. This report can then be shared with user organizations like Richmond Mutual and with their auditors as deemed necessary. The AICPA also provides for two other SOC reports: SOC 2 and SOC 3. The SOC 2 and SOC 3 reports are used for reporting on controls other than the internal controls over financial reporting. One of the key differences between SOC 2 and SOC 3 reports is that a SOC 3 is a general use report to be provided to anyone while SOC 2 reports are only for those users specifically specified in the report; in other words, the distribution is limited.

SOC reports are valuable to their many users for a whole host of obvious reasons but Fraud Examiners and other assurance professionals need to keep in mind some common misconceptions about them (some shared, I found, by my IT friend). SOC reports are not assurances. IASSB and AICPA guidelines specify that SOC reports are to be of limited distribution, to be used by the service organization, user organization and user auditors only and thus should never be used for any other service organization purpose; never, for example, as marketing or advertising tools to assure potential clients of service organization quality.

SOC 1 reports are used only for reporting on service organization internal controls over financial reporting; in cases where a user or a service organization wants to assess such areas as data privacy or confidentiality, they need to arrange for the performance of a SOC 2 and/or SOC 3 report.

It’s also a common mistake to assume that the SOC report is sufficient verification of internal controls and that no controls on the user organization side need to be assessed by the auditors; the guidelines are clear that while verifying controls at the service organization, controls at the user organization should also be verified. Since service the organization provides considerable information as background for the service auditor’s review, service organizations are often under the mistaken impression that the accuracy of this background information will not be evaluated by the SOC reviewer. The guidelines specify that SOC auditors should carefully verify the quality and accuracy of the information provided by the service organization under the “information provided by the service organization” section of their audit program.

In summary, the purpose of SOC 1 reports is to provide assurance on the processes that support internal controls over financial reporting. Fraud examiners and other users should take the time to understand the varied purpose(s) of the three types of SOC reports so they can use them intelligently. These reports can be extremely useful to fraud examiners assessing the fraud enterprise risk prevention programs of user organizations to understand the controls that impact financial operations and related IT controls, especially in multiple-service provider scenarios.

Detect and Prevent

I got a call last week from a long term colleague, one of whose smaller client firms recently discovered a long running key-employee initiated fraud. My friend has been asked to assist her client in developing approaches to strengthen controls to, hopefully, prevent such disasters in the future.

ACFE training has consistently told us over the years, and daily experience repeatedly confirmed, that it is simply not possible or economical to stop all fraud before it happens. The only way for a retail concern to absolutely stop shoplifting might be to close and accept orders only over the Internet. Similarly, the only way for a bank to absolutely stop all loan fraud might be for it to stop lending money.

In general, my friend and I agreed during our conversation, that increasing preventive security can reduce fraud losses, but beyond some point, the cost of additional preventive security will exceed the related savings from reduced fraud losses. This is where detection comes in; it may be economical when prevention is not. One way to prevent a salesclerk from stealing from the register would be for the security department to carefully monitor, review, and approve every one of the clerk’s sales. However, it would likely be much more cost effective instead to implement a simple detective control: an end-of-shift reconciliation between the cash in the register and the transactions logged by the cash register during the clerk’s shift. If refunds are not given at the point of sale, the end-of-shift balance of cash in the register should equal the shift’s sales per the transaction logs minus the balance of cash in the register at the beginning of the shift. Any significant failure of these numbers to reconcile would amount to a red flag. Of course, further investigation could show that the clerk simply made an error and so did not commit fraud.

But the cost effectiveness of detective controls, like preventive controls, imposes limits. First, such controls are not cost free to implement, and improving detective controls may cost more than the results they provide. Second, detective controls produce both false positives and false negatives. A false positive occurs when a detective control signals a possible fraud that upon investigation turns up a reasonable explanation for the indicator. A false negative occurs when a detective control fails to signal a possible fraud when one exists. Reducing false negatives means increasing the fraud detection rate.

Similarly, the cost effectiveness of increasing preventive security has a limit as does the benefit of increasing the fraud detection rate. To increase the detection rate, it’s necessary to increase the frequency at which the detective control signals possible fraud. The result is more expensive investigations, and the cost of such additional investigations can exceed the resulting reduction in fraud losses.

As we all learned in undergraduate auditing, controls are essentially policies and procedures designed to minimize losses due to fraud or to other events such as errors or acts of nature. Corrective controls are merely special control types involved once a loss is known to exist. With respect to fraud, an important corrective control involves the investigation of potential frauds and the investigation and recovery process from discovered frauds.

More generally speaking, fraud investigations themselves serve not only a corrective function but also detective and preventive functions. Such investigations are detective of fraud to the extent that they follow up on fraud signals or red flags in order to confirm or disconfirm the presence of fraud. But once fraud is confirmed to exist, fraud examinations shift toward gathering evidence and become corrective by assisting in recovery from the perpetrator and other sources such as from insurance. Fraud investigations are also corrective in that they can lead to the revelation and repair of heretofore unknown weaknesses.

The end result is that the fraud investigation functions to correct the original loss, and the related discovery of the fraud scenario leads to prevention of similar losses in the future. In summary, the fraud examination has served to detect, correct, and prevent fraud. However, fraud investigations are not normally thought of as detective controls. This so is because fraud investigations tend to be much more costly than standard detective controls and therefore are normally used only when there is already some predication in the form of a fraud indicator triggered by a typical detective control. Therefore, the primary functions of fraud investigations are to address existing frauds and help to prevent future ones.

In some cases, the primary benefit of a fraud investigation might be to prevent future frauds. Even when recovery is impossible or impractical (e.g., because the thief has no assets), unwinding the fraud scheme may still have the benefit of leading to the prevention of the same scheme in the future. Furthermore, a company might benefit from spending a very large sum of money to investigate and prosecute a very small theft in order to deter other individuals from defrauding the company in the same way. Many State governments have statutes specifying that every fraud affecting governmental assets, whether large or small, must be fully investigated because taxpayer funds are involved (the assets affected are public property).

There is never a guarantee that investigating a fraud indicator will lead to the discovery of fraud. Depending on the situation, an investigation might lead to nothing at all (i.e., produce a reasonable explanation for the original red flag) or to the discovery of losses due to simple errors, waste, inefficiencies, or even uncontrollable events like acts of nature. If a lender is considering a loan application, a fraud indicator might indicate nothing, fraud, or an error. On the other hand, in regard to the possible theft of raw materials in a production process, a fraud indicator just might indicate undocumented waste or scrap.

Two important factors to consider concerning the general design of a fraud detection process are not only the costs and benefits of detecting, correcting, and preventing a given fraud scenario but also the costs and benefits of detecting, correcting, and preventing errors, waste, uncontrollable events, and inefficiencies in general. Of course, the particular costs that are relevant will vary from one type of business process to another.

As a general rule, we can say that both preventive controls and detective controls cost less than corrective controls. Corrective controls tend to involve hands-on, resource-intensive investigations, and in many cases, such investigations do not result in recovering the loss. On the other hand, preventive controls can also be quite costly. Banks pay armed guards and incur costs to maintain expensive vaults and alarm systems. Companies surround their headquarters with high fences and armed guards, and use security checkpoints and biometric key card systems inside. On the information technology side, firms use sophisticated firewalls and multi-layer access controls. The costs of all these preventive measures can add up to staggering sums in large companies. Of course, losses that are not prevented or corrected in a timely fashion can lead to the ultimate corrective measure: bankruptcy. In fact, some ACFE estimates show that about one-third of all business failures relate to some form of fraudulent activity.

One positive aspect of the cost of preventive controls is that unlike detective controls, they do not generate fraud indicators that lead to costly investigations. In fact, they tend to do their job in complete silence so that management never even knows when they prevent a fraud. The thick door of a bank vault with a time lock prevents bank employees from entering the building at night to steal its contents. Similarly, passwords, pin numbers, and biometric data silently provide access to authorized individuals and prevent access from others.

The problem with preventive controls is that they are always subject to circumvention by determined and cunning fraudsters. There is no perfect solution to preventing acts of fraud, so detection is necessary as a secondary line of defense, and in some cases, as the primary line of defense. Consider a lending company that accepts online loan applications. It may be difficult or impossible to prevent fraudulent applications, but the company can certainly put a sophisticated (and expensive) system in place to analyze applications and provide indicators that suggest when an application may be fraudulent.

In general, the optimal allocation of resources to prevention versus detection depends on the particular business process under consideration. So, there is no general rule that dictates the optimal allocation of resources between prevention versus detection. But there are some general steps that can assist in making the allocation:

1. Analyze the target business process and identify threats and vulnerabilities.
2. Select reasonable preventive controls according to the business process and customs within the client’s industry.
3. Estimate fraud losses given the assumed preventive controls.
4. Identify and add a basic set of detective controls to the system.
5. For a given set of detective controls, identify the optimal mix of false negatives versus false positives. The optimal mix depends on the costs of investigations versus the costs of losses. Large losses and small investigation costs favor relatively low false negatives and high false positives for red flags.
6. Given the assumed mix of false negative and false positive errors, estimate the incremental cost associated with adding the detective (and related corrective) controls, and estimate the resulting reduction in fraud losses.
7. Compare the reduction in fraud losses with the increase in costs associated with adding the optimal mix of detection and correction controls.
8. If increase in costs is significantly lower than the related reduction in fraud losses, consider adding more detective controls. Otherwise, accept the set of detective controls under consideration.

Cloud Shapes

Just as clouds can take different shapes and be perceived differently, so too is cloud computing perceived differently by our various types of client companies. To some, the cloud looks like web-based applications, a revival of the old thin client. To others, the cloud looks like utility computing, a grid that charges metered rates for processing time. To some, the cloud could be parallel computing, designed to scale complex processes for improved efficiency. Interestingly, cloud services are wildly different. Amazon’s Elastic Compute Cloud offers full Linux machines with root access and the opportunity to run whatever apps the user chooses. Google’s App Engine will also let users run any program they want, as long as the user specifies it in a limited version of Python and uses Google’s database.

The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. It is also important to remember what our ACFE tells us, that the Internet itself is in fact a primitive transport cloud. Users place something on the path with an expectation that it will get to the proper destination, in a reasonable time, with all parties respecting the privacy and security of the artifact.

Cloud computing, as everyone now knows, brings many advantages to users and vendors. One of its biggest advantages is that a user may no longer have to be tethered to a traditional computer to use an application, or have to buy a version of an application that is specifically configured for a phone, a tablet or other device. Today, any device that can access the Internet can run a cloud-based application. Application services are available independent of the user’s home or office devices and network interfaces. Regardless of the device being used, users also face fewer maintenance issues. End users don’t have to worry about storage capacity, compatibility or other similar concerns.

From a fraud prevention perspective, these benefits are the result of the distributed nature of the web, which necessitates a clear separation between application and interaction logic. This is because application logic and user data reside mostly on the web cloud and manifest themselves in the form of tangible user interfaces at the point of interaction, e.g., within a web browser or mobile web client. Cloud computing is also beneficial for our client’s vendors. Businesses frequently find themselves using the vast majority of their computing capacity in a small percentage of time, leaving expensive equipment often idle. Cloud computing can act as a utility grid for vendors and optimize the use of their resources. Consider, for example, a web-based application running in Amazon’s cloud. Suppose there is a sudden surge in visitors as a result of media coverage, for example. Formerly, many web applications would fail under the load of big traffic spikes. But in the cloud, assuming that the web application has been designed intelligently, additional machine instances can be launched on demand.

With all the benefits, there are related constraints. Distrust is one of the main constraints on online environments generally. particularly in terms of consumer fraud, waste and abuse protection. Although the elements that contribute to building trust can be identified in broad terms, there are still many uncertainties in defining and establishing trust in online environments. Why should users trust cloud environments to store their personal information and to share their privacy in such a large and segregated environment? This question can be answered only by investigating these uncertainties in the context of risk assessment and by exploring the relationship between trust and the way in which the risk is perceived by stakeholders. Users are assumed to be willing to disclose personal information and have that information used subsequently to store their personal data or to create consumer profiles for business use when they perceive that fair procedures are in place to protect their individual privacy.

The changing trust paradigm represented by cloud computing means that less information is stored locally on our client’s machines and is instead being hosted elsewhere on earth. No one for the most part buys software anymore; users just rent it or receive it for free using the Software as a Service (SaaS) business model. On the personal front, cloud computing means Google is storing user’s mail, Instagram their photographs, and Dropbox their documents, not to mention what mobile phones are automatically uploading to the cloud for them. In the corporate world, enterprise customers not only are using Dropbox but also have outsourced primary business functions that would have previously been handled inside the company to SaaS providers such as Salesforce.com, Zoho.com, and Box.com.

From a crime and security perspective, the aggregation of all these data, exabytes and exabytes of it, means that user’s most personal of information is no longer likely stored solely on their local hard drives but now aggregated on computer servers around the world. By aggregating important user data, financial and otherwise, on cloud-based computer servers, the cloud has obviated the need for criminals to target everybody’s hard drive individually and instead put all the jewels in a single place for criminals and hackers to target (think Willie Sutton).

The cloud is here to stay, and at this point there is no going back. But with this move to store all available data in the cloud come additional risks. Thinking of some of the largest hacks to date, Target, Heartland Payment Systems, TJX, and Sony PlayStation Network; all of these thefts of hundreds of millions of accounts were made possible because the data were stored in the same virtual location. The cloud is equally convenient for individuals, businesses, and criminals.

The virtualization and storage of all of these data is a highly complex process and raises a wide array of security, public policy, and legal issues for all CFEs and for our clients. First, during an investigation, where exactly is this magical cloud storing my defrauded client’s data? Most users have no idea when they check their status on Facebook or upload a photograph to Pinterest where in the real world this information is actually being stored. That they do not even stop to pose the question is a testament to the great convenience, and opacity, of the system. Yet from a corporate governance and fraud prevention risk perspective, whether your client’s data are stored on a computer server in America, Russia, China, or Iceland makes a difference.

ACFE guidance emphasizes that the corporate and individual perimeters that used to protect information internally are disappearing, and the beginning and end of corporate user computer networks are becoming far less well defined. It’s making it much harder for examiners and auditors to see what data are coming and going from a company, and the task is nearly impossible on the personal front. The transition to the cloud is a game changer for anti-fraud security because it completely redefines where data are stored, moved, and accessed, creating sweeping new opportunities for criminal hackers. Moreover, the non-local storage of data raises important questions about deep dependence on cloud-based information systems. When these services go down or become unavailable i.e., a denial of service attack, or the Internet connection is lost, the data become unavailable, and your client for our CFE services is out of business.

All the major cloud service providers are routinely remotely targeted by criminal attacks, including Dropbox, Google, and Microsoft, and more such attacks occur daily. Although it may be your client’s cloud service provider that is targeted in such attack, the client is the victim, and the data taken is theirs’s. Of course, the rights reserved to the providers in their terms of service agreements (and signed by users) usually mean that provider companies bear little or no liability when data breaches occur. These attacks threaten intellectual property, customer data, and even sensitive government information.

To establish trust with end users in the cloud environment, all organizations should address these fraud related risks. They also need to align their users’ perceptions with their policies. Efforts should be made to develop a standardized approach to trust and risk assessment across different domains to reduce the burden on users who seek to better understand and compare policies and practices across cloud provider organizations. This standardized approach will also aid organizations that engage in contractual sharing of consumer information, making it easier to assess risks across organizations and monitor practices for compliance with contracts. policies and law.

During the fraud risk assessment process, CFEs need to advise their individual corporate clients to mandate a given cloud based activity in which they participate to be conducted fairly and to address their privacy concerns. By ensuring this fairness and respecting privacy, organizations give their customers the confidence to disclose personal information on the cloud and to allow that information subsequently to be used to create consumer profiles for business use. Thus, organizations that understand the roles of trust and risk should be advised to continuously monitor user perceptions to understand their relation to risk aversion and risk management. Managers should not rely solely on technical control measures. Security researchers have tended to focus on the hard issues of cryptography and system design. By contrast. issues revolving around the use of computers by lay users and the creation of active incentives to avoid fraud have been relatively neglected. Many ACFE lead studies have shown that human errors are the main cause of information security incidents.

Piecemeal approaches to control security issues related to cloud environments fail simply because they are usually driven by a haphazard occurrence; reaction to the most recent incident or the most recently publicized threat. In other words, managing information security in cloud environments requires collaboration among experts from different disciplines, including computer scientists. engineers. economists, lawyers and anti-fraud assurance professionals like CFE’s, to forge common approaches.

The Human Financial Statement

A finance professor of mine in graduate school at the University of Richmond was fond of saying, in relation to financial statement fraud, that as staff competence goes down, the risk of fraud goes up. What she meant by that was that the best operated, most flawless control ever put in place can be tested and tested and tested again and score perfectly every time. But its still no match for the employee who doesn’t know, or perhaps doesn’t even care, how to operate that control; or for the manager who doesn’t read the output correctly, or for the executive who hides part of a report and changes the numbers in the rest. That’s why CFEs and the members of any fraud risk assessment team (especially our client managers who actually own the process and its results), should always take a careful look at the human component of risk; the real-world actions, and lack thereof, taken by real-life employees in addressing the day-to-day duties of their jobs.

ACFE training emphasizes that client management must evaluate whether it has implemented anti-fraud controls that adequately address the risk that a material misstatement in the financial statements will not be prevented or detected timely and then focus on fixing or developing controls to fill any gaps. The guidance offers several specific suggestions for conducting top-down, risk-based anti-fraud focused evaluations, and many of them require the active participation of staff drawn from all over the assessed enterprise. The ACFE documentation also recommends that management consider whether a control is manual or automated, its complexity, the risk of management override, and the judgment required to operate it. Moreover, it suggests that management consider the competence of the personnel who perform the control or monitor its performance.

That’s because the real risk of financial statement misstatements lies not in a company’s processes or the controls around them, but in the people behind the processes and controls who make the organization’s control environment such a dynamic, challenging piece of the corporate puzzle. Reports and papers that analyze fraud and misstatement risk use words like “mistakes” and “improprieties.” Automated controls don’t do anything “improper.” Properly programmed record-keeping and data management processes don’t make “mistakes.” People make mistakes, and people commit improprieties. Of course, human error has always been and will always be part of the fraud examiner’s universe, and an SEC-encouraged, top-down, risk-based assessment of a company’s control environment, with a view toward targeting the control processes that pose the greatest misstatement risk, falls nicely within most CFE’s existing operational ambit. The elevated role for CFEs, whether on staff or in independent private practice, in optionally conducting fraud risk evaluations offers our profession yet another chance to show its value.

Focusing on the human element of misstatement fraud risk is one important way our client companies can make significant progress in identifying their true financial statement and other fraud exposures. It also represents an opportunity for management to identify the weak links that could ultimately result in a misstatement, as well as for CFEs to make management’s evaluation process a much simpler task. I can remember reading many articles in the trade press these last years in which commentators have opined that dramatic corporate meltdowns like Wells Fargo are still happening today, under today’s increased regulatory strictures, because the controls involved in those frauds weren’t the problem, the people were. That is certainly true. Hence, smart risk assessors are integrating the performance information they come across in their risk assessments on soft controls into management’s more quantitative, control-related evaluation data to paint a far more vivid picture of what the risks look like. Often the risks will wear actual human faces. The biggest single factor in calculating restatement risk as a result of a fraud relates to the complexity of the control(s) in question and the amount of human judgment involved. The more complex a control, the more likely it is to require complicated input data and to involve highly technical calculations that make it difficult to determine from system output alone whether something is wrong with the process itself. Having more human judgment in the mix gives rise to greater apparent risk.

A computer will do exactly what you tell it to over and over; a human may not, but that’s what makes humans special, special and risky. In the case of controls, especially fraud prevention related controls, our human uniqueness can manifest as simple afternoon sleepiness or family financial troubles that prove too distracting to put aside during the workday. So many things can result in a mistaken judgment, and simple mistakes in judgment can be extremely material to the final financial statements.

CFEs, of course, aren’t in the business of grading client employees or of even commenting to them about their performance but whether the fraud risk assessment in question is related to financial report integrity or to any other issue, CFEs in making such assessments at management’s request need to consider the experience, training, quality, and capabilities of the people performing the most critical controls.

You can have a well-designed control, but if the person in charge doesn’t know, or care, what to do, that control won’t operate. And whether such a lack of ability, or of concern, is at play is a judgment call that assessing CFEs shouldn’t be afraid to make. A negative characterization of an employee’s capability doesn’t mean that employee is a bad worker, of course. It may simply mean he or she is new to the job, or it may reveal training problems in that employee’s department. CFEs proactively involved in fraud risk assessment need to keep in mind that, in some instances, competence may be so low that it results in greater risk. Both the complexity of a control and the judgment required to operate it are important. The ability to interweave notions of good and bad judgment into the fabric of a company’s overall fraud risk comes from CFEs experience doing exactly that on fraud examinations. A critical employee’s intangibles like conscientiousness, commitment, ethics and morals, and honesty, all come into play and either contribute to a stronger fraud control environment or cause it to deteriorate. CFEs need to be able, while acting as professional risk assessors, to challenge to management the quality, integrity, and motivation of employees at all levels of the organization.

Many companies conduct fraud-specific tests as a component of the fraud prevention program, and many of the most common forms of fraud can be detected by basic controls already in place. Indeed, fraud is a common concern throughout all routine audits, as opposed to the conduct of separate fraud-only audits. It can be argued that every internal control is a fraud deterrent control. But fraud still exists.

What CFEs have to offer to the risk assessment of financial statement and other frauds is their overall proficiency in fraud detection and the reality that they are well-versed in, and cognizant of, the risk of fraud in every given business process of the company; they are, therefore, well positioned to apply their best professional judgment to the assessment of the degree of risk of financial statement misstatement that fraud represents in any given client enterprise.

Authority Figures

As fraud examiners and forensic accountants intimately concerned with the on-going state of health of our client’s fraud management programs, we find ourselves constantly looking at the integrity of the critical data that’s truly (as much as financial capital) the life blood of today’s organizations. We’re constantly evaluating the network of anti-fraud controls we hope will help keep those pesky, uncontrolled, random data driven vulnerabilities to fraud to a minimum. Every little bit of critical financial information that gets mishandled or falls through the cracks, every transaction that doesn’t get recorded, every anti-fraud policy or procedure that’s misapplied has some effect on the client’s overall fraud management picture and on our challenge.

When it comes to managing its client, financial and payment data, almost every small to medium sized organization has a Sandy. Sandy’s the person to whom everyone goes to get the answers about data, and the state of system(s) that process it; quick answers that no one else ever seems to have. That’s because Sandy is an exceptional employee with years of detailed hands-on-experience in daily financial system operations and maintenance. Sandy is also an example of the extraordinary level of dependence that many organizations have today on a small handful of their key employees. The now unlamented great recession, during which enterprises relied on retaining the experienced employees they had rather than on traditional hiring and cross-training practices, only exacerbated an existing, ever growing trend. The very real threat to the Enterprise Fraud Management system that the Sandy’s of the corporate data world pose is not so much that they will commit fraud themselves (although that’s an ever-present possibility) but that they will retire or get another job across town or out of state, taking their vital knowledge of company systems and data with them.

The day after Sandy’s retirement party and, to an increasing degree thereafter, it will dawn on Sandy’s management that it’s lost a large amount of information about the true state of its data and financial processing system(s). Management will also become aware, if it isn’t already, of its lack of a large amount of system critical data documentation that’s been carried around nowhere else but in Sandy’s head. The point is that, for some smaller organizations, their reliance on a few key employees for day to day, operationally related information goes well beyond what’s appropriate and constitutes an unacceptable level of risk to their entire fraud prevention programs. Today’s newspapers and the internet are full of stories about hacking and large-scale data breeches, that only reinforce the importance of vulnerable data and of the completeness of its documentation to the on-going operational viability of our client organizations.

Anyone whose investigated frauds involving large scale financial systems (insurance claims, bank records, client payment information) is painfully aware that when the composition of data changes (field definitions or content) surprisingly little of change related information is formally documented. Most of the information is stored in the heads of some key employees, and those key employees aren’t necessarily involved in everyday, routine data management projects. There’s always a significant level of detail that’s gone undocumented, left out or to chance, and it becomes up to the analyst of the data (be s/he an auditor, a management scientist, a fraud examiner or other assurance professional) to find the anomalies and question them. The anomalies might be in the form of missing data, changes in data field definitions, or changes in the content of the fields; the possibilities are endless. Without proper, formal documentation, the immediate or future significance of these types of anomalies for the fraud management system and for the overall fraud risk assessment process itself become almost impossible to determine.

If our auditor or fraud examiner, operating under today’s typical budget or time constraints, is not very thorough and misses the identification of some of these anomalies, they can end up never being addressed. How many times as an analyst have we all tried to explain something (like apparently duplicate transactions) about the financial system that just doesn’t look right only to be told, “Oh, yeah. Sandy made that change back in February before she retired; we don’t have too many details on it.” In other words, undocumented changes to transactions and data, details of which are now only existent in Sandy’s no longer available head. When a data driven system is built on incomplete information, the system can be said to have failed in its role as a component of the origination’s fraud prevention program. The cycle of incomplete information gets propagated to future decisions, and the cost of the missing or inadequately explained data can be high. What can’t be seen, can’t ever be managed or even explained.

In summary, it’s a truly humbling to experience to be confronted with how much critical financial information resides in the fading (or absent) memories of past or present key employees; what the ACFE calls authority figures. As fraud examiners we should attempt to foster a culture among our clients supportive of the development of concurrent systems of transaction related documentation and the sharing of knowledge on a consistent basis about all systems but especially regarding the recording of changes to critical financial systems. One nice benefit of this approach, which I brought to the attention of one of my audit clients not too long ago, would be to free up the time of one of these key employees to work on more productive fraud control projects rather than serving as the encyclopedia for the rest of the operational staff.