Category Archives: Client Relations

You Are Your Report

The ACFE tells us that organizing and writing the final fraud investigation report is one of the most challenging tasks that CFE’s report routinely performing in connection with their examinations. Thus, the whole process of communicating the results of our investigations is, and must be, an integral part of any CFE’s practice. As I’m sure every reader of this blog knows, any communication can be challenging, even when the news being delivered is positive, but when the news to be delivered is negative (e.g., analyzing the facts of an embezzlement or presenting the results of an investigation of a complex management fraud), the job of delivering it can be super stressful. In such situations, the CFE’s ability to communicate takes on increased importance. An organized, thoughtful approach can make that task easier and more constructive for all concerned. Therefore, in my opinion, practitioners would do well to apply some key steps to any kind effective communication.

We can take some comfort in realization of the fact that the responsibility for delivering bad news is certainly not unique to fraud examiners. Professionals of all disciplines have developed protocols for communicating news perceived to be negative. These protocols are generally built on the keys to effective information transfer common to all types of communication and stress the importance of having a plan. Where they differ from the general communication guidance with which assurance professionals may already be familiar is their emphasis on specific keys that are particularly helpful in face-to-face meetings and situations requiring investigators to deliver negative news. One such protocol exists under a variety of names but is most frequently dubbed the “ABCDE” mnemonic. Let’s go through the letters of the mnemonic one by one.

The “A” stands for advanced planning. Advance preparation is an especially important element of effectively communicating bad news. It should go without having to be said that CFE’s can avoid wasted time and potentially embarrassing mistakes by having a solid grasp of the facts before delivering any of their findings to others. This includes carefully reviewing findings and confirming their understanding of critical issues well in advance of any reporting. Although fraud examiners often are sometimes familiar with their audience as the result of past interactions (especially if they’re employed by an attorney or an investigative firm), it’s always helpful to gather background information about the target audience of the findings, their level of involvement with and understanding of the issue, and their communication styles so the CFE can tailor the report and/ or related meeting accordingly. Examiners also may consider visualizing the point of view they expect the audience will have regarding the issue in question, because this will likely guide their reactions and questions. And as always, practice makes perfect. It’s better to work out any bugs alone or with a colleague (if you’re lucky enough to have one) than in the midst of a highly charged meeting with attorneys and management present.

“B” addresses the protocol process of building the environment and is especially relevant to face to face presentations of the report. The setting for the meeting also is an important factor, as it should allow the examiner to maintain control over the meeting’s direction. Optimally, the meeting should occur in a place that’s private, where the participants are not distracted, and where interruptions are kept to a minimum. These factors may not be as difficult to control in the case of meetings with an audit committee or in your employing attorney’s office which generally occur in a private conference room, but examiners should consider the practical complications that can arise when meeting with a client manager in his or her office. Distractions created by telephones, e-mail, employees coming and going, or the possibility of being overheard can limit meeting productivity. With this in mind, CFE’s should try to schedule the meeting at a time and place where the participants can devote their full attention to the challenging issues at hand.

Communicating well is the “C” in our mnemonic. To try always to employ direct, clear language to communicate bad news, while still being sensitive to the audience’s feelings, is an imperative skill for investigators to possess. Although it’s sometimes tempting to temper an issue or to use euphemisms to try to soften the blow, that approach can add confusion, and ultimately, only delay the inevitable. A straightforward, honest delivery of the facts is generally the best policy and is, after all, what we’re being paid to do. Never lose sight of the fact that some words (e.g., scam and scheme) are emotionally charged and may elicit negative reactions from the audience. Instead, words such as “suspected scenario”, or “suspected irregularity” better convey the message without unnecessarily offending anyone. Striking the right balance between directness and sensitivity can be difficult, but it’s critical to the successful delivery of bad news. Providing the audience with specific examples from her report can help clarify the CFE’s message without the need for personal, un-objective, or emotion laden words. We know from many ACFE publications and training courses that the majority of communication comes from body language, facial expressions, eye contact, and tone of voice. As fraud examiners and forensic accountants, we need to be aware of these nonverbal cues and keep them in check so they do not undermine delivery of our results. An important and often overlooked aspect of good communication is ensuring that the message sent equals the message received. Remember the old politician’s maxim; “Tell them. Tell them what your said. Tell them again”! It’s important, particularly in the case of bad news, for the examiner to verify that the audience fully understands the message being delivered, both its content and seriousness. Eliciting feedback from the audience will give the CFE an opportunity to confirm what they heard and will enable her to clear up any miscommunication immediately.

Dealing with reactions is the “D” in our mnemonic. As we all know, in the case of fraud reports, there will always be reactions. It’s inevitable, and healthy, that the audience will have questions and want you, the examiner, to provide actual transactions and/or evidence supporting the report findings. CFE’s should be prepared, based on “A” their advanced preparation, to anticipate questions and by gathering supporting documentation in advance, to provide these items during the meeting. Examiners should also expect audience members to offer their own responses or explanations to counter the report findings. Because emotions will be running high, these responses may take the form of a personal attack on the examiner, but s/he must take care not to react defensively or place blame. Above all, we CFE’s must keep in mind that our role is to communicate factual information so that appropriate due diligence can be taken and never to in any way speculate as to guilt or offer value judgments; stick to the facts which will always speak for themselves far more eloquently than you can.

It’s important for management and counsel to identify the immediate impact of the bad news. For example, does this apparent instance of fraud as revealed by the fraud report have immediate regulatory ramifications? Does this situation result in the need for a restatement of financial statements? Should we move forward immediately with terminations or prosecution? The fear of unknown consequences can make bad news seem even worse. By doing some advance research to help address these types of questions, the CFE can make a valuable contribution to the organization by helping to at least begin to define the extent of the unknown. Once the immediate impact has been assessed, the next logical step will be to develop a long-term plan for fixing or mitigating the control problem. Because of the examiner’s familiarity with the mechanics of the underlying issue confronting management and counsel, s/he is in an excellent position to work with other assurance professionals to provide alternatives or suggestions for remediation and for the eventual strengthening of the client’s fraud prevention program. Examiners should be sure to emphasize their willingness to provide additional information or assistance as needed as we assist management and others to arrange the timetable for following up on the results of our investigations.

Another Sold Out Event!

Our Chapter wants to extend its formal thanks to our partners, national ACFE and the Virginia State Police, but especially to our event attendees who made this year’s May training event a resounding, sold-out success! As the rave attendee evaluations revealed, How to Testify, was one of our best received sessions ever!

Our presenter, Hugo Holland, CFE, JDD, brought his vast courtroom experience as a prosecutor and nationally recognized litigator to bear in communicating every aspect of a complex practice area in a down-to-earth comprehensible manner with no sacrifice of vital detail.

As Hugo made clear, there are two basic kinds of testimony. The first is lay testimony (sometimes called factual testimony), where witnesses testify about what they have experienced firsthand and their factual observations. The second kind is expert testimony, where a person who, by reason of education, training, skill, or experience, is qualified to render an expert opinion regarding certain issues at hand. Typically, a fraud examiner who worked on a case will be capable of providing both lay, and potentially, expert testimony based on observations made during the investigation.

Certified Fraud Examiners (CFEs) and forensic accountants serve two primary roles as experts in forensic matters: expert consultants and expert witnesses. The fraud investigator must always be prepared to serve as an expert witness in court and learning how best to do so is critical for the training of the rounded professional. The expert consultant is an independent fraud examiner/accounting contractor who provides expert opinions in a wide array of cases, such as those relating to fraud investigations, divorces, mergers and acquisitions, employee-employer disputes, insurance disputes, and so on. In a fraud case, the CFE could identify and document all fraudulent transactions. This in turn could lead to reaching a plea bargain with a guilty employee. Therefore, the CFE helps solve a problem before any expert trial testimony is needed.

In addition, CFEs and forensic accountants are called upon to provide expert consultation services involving testimony in such areas as:

• Fraud investigations and management.
• Business valuation calculations.
• Economic damage calculations.
• Lost profits and wages.
• Disability income analysis.
• Economic analyses and valuations in matrimonial (prenuptial, postnuptial, and divorce) accounting.
• Adequacy of life insurance.
• Analysis of contract proposals.

Hugo emphasized that the most important considerations at trial for experts are credibility, demeanor, understandability, and accuracy. Credibility is not something that can be controlled in and of itself but is a result of the factors that are under the control of the expert witness. Hugo expounded in greater detail on these and other general guidelines:

• The answering of questions in plain language. Judges, juries, arbitrators, and others tend to believe expert testimony more when they truly understand what the expert says. It is best, therefore, to reduce complicated, technical arguments to plain language.

• The answering of only what is asked. Expert witnesses should not volunteer more than what is asked even when not volunteering more testimony could suggest that the expert’s testimony is giving the wrong impression. It is up to employing counsel to clear up any misimpressions through follow-up questions. That is, it is up to counsel to “rehabilitate” his or her expert witness who appears to have been impeached. That said, however, experienced expert witnesses sometimes volunteer information to protect their testimony from being twisted. Experience is needed to know when and how to do this and Hugo supplied it. Our presenter emphasized repeatedly that the best thing for an inexperienced expert witness to do is to work with experienced employing attorneys who know how to rehabilitate witnesses.

• The maintenance of a steady demeanor. It is important for the expert witness to maintain a steady, smooth demeanor regardless of which questions are asked and which side’s attorney asks them. It is especially undesirable to do something such as assume defensive body language when being questioned by the opposing side.

• Attendees learned how to be friendly and smile at appropriate times. Judges and juries are just people, and it helps to appear as relaxed but professional.

• To remain silent when there is an objection by one of the attorneys. Continue speaking only when instructed to do so.

• Attendees learned how best to state the facts. The expert witness should tell the truth plainly and simply. Attendees learned how the expert’s testimony should not become more complicated or strained when it appears to be harmful to the client the expert represents. The expert witness should not try to answer questions to which s/he does not know the answer but should simply say that s/he does not know or does not have enough information to form an opinion.

• Attendees learned to control the pace. The opposing attorney can sometimes attempt to crush a witness by rapid fire questions. The expert witness should avoid firing back answers at the same pace. This can avoid giving the appearance that s/he is arguing with the examining attorney. It also helps prevent her from being rushed and overwhelmed to the point of making mistakes.

• Most importantly, Hugo imparted invaluable techniques to survive cross examination. Attendees learned how to testify effectively on both direct and cross examination, basic courtroom procedures, and tricks for general survival on the witness stand. Attendees were told how to improve their techniques on how to offer testimony about damages and restitution while learning to know when to draw the line between aggressive testimony and improper advocacy. All our attendees walked away with more effective report writing and presentation skills as well as benefiting from a solid exploration of the different types of evidence and related legal remedies.

Again, thanks to all, attendees and partners, for making our May 2019 training event such a resounding success!

The Man in the Mirror

I readily confess I would not have won any awards for effective delegation during my early years as a fraud examiner/information systems audit professional. To my mind the buck stopped with the guy in the mirror I saw shaving every morning. I prided myself on being personally capable of performing every routine task of every assignment involved in whatever function I was managing at the time. What finally weaned me from the practice of doing it all myself was the threat of burn-out and the seemingly ever-increasing demands of a typical work week of seventy hours.

The demands of managing in an assurance environment featuring risk assessments, regulatory compliance, fraud investigations, corporate governance, and engagement quality control can be crushing for any new (or not so new) manager but especially so for those unwilling or who simply lack the skills to adequately delegate; those skills usually only come with experience.

While some new to assurance or investigative management may think delegating simply means passing off work to subordinates, the lines of delegation also can occur laterally to peers and upward to superiors. The distinction is important, because in delegating to subordinates, one of the goals is to achieve long term investigative team development. This goal comes with a shift in emphasis from managing to leading. Managing is about getting the work done, whereas leading fosters learning, growth, and a greater sense of responsibility among individual members of the your team.

According to the ACFE, the first step to successful delegation within examination work is recognizing when to let go rather than trying to do too much. For CFEs new to leadership responsibilities, a willingness to delegate can be challenging. CFEs typically advance to management positions as a result of their individual achievements and performance. This advancement fosters a sense that the person best suited to accomplish a given task is the one whose already done it satisfactorily, but that is not the way leaders should think. Even though an assurance professional has advanced to a management position based on past accomplishments, he or she needs to take a broader view of what is in the long term interest of her function group and/or organization. A conscious commitment to delegation can enable the individual manager to not only increase their personal productivity but also (and here I speak from personal experience) gain better control of their lives and, hence, prevent burnout.

An honest self-examination is a precursor to delegation. CFEs and other assurance professionals in a management position need to understand their capabilities and role(s) within the organization. One way to do this is by considering their vision for and the needs of the organization. Then, what are the assurance function’s immediate and long-term goals, including capabilities and developmental needs? Realizing that trusting others, not just one self, to do a high quality job is a personal decision and there can be many barriers to it. What is the nature of your own personal career goals and your priorities for work-life balance? A periodic, wholly candid assessment of these and similar issues can give any manager a better perspective on his or her motives in relation to delegating.

Delegating is more than just shoving work on someone who possesses the skill set to fit the task. Rather, delegating is an opportunity to cultivate members of the investigative team by increasing the number of people who are capable of taking on a bigger role, which can help strengthen the team and create a succession plan in the event of unexpected personnel turnover. How often have we all been witness to the chaos which can ensure when a key staff member leaves and no-one has been groomed to fill her place?

To the extent possible, an new staff CFE should be matched strategically with an assignment that is a bit above his or her head as a way of providing a positive learning experience. Delegating with career development in mind means managers will need to resist playing the role of lifeguard. Subordinates will struggle at times, but managers shouldn’t be too quick to act as helicopter parents and come to the rescue. Instead, managers should remain confident in the basic capabilities of their staff and allow reasonable time for learning and growth, which enables the team to gain experience and add more value to the organization.

Knowing whether a particular assignment is within an examiner’s potential capabilities and can enable him or her to grow professionally, however, is often not an easy task. As managers delegate assignments, they should consider not limiting assignments only to those areas in which an investigator has had prior experience. Also, managers need to avoid the tendency toward primarily delegating interesting or important assignments to the most favored team members; managers should groom everyone on the team not just the superstars; it’s the superstars who are, let’s face it, the most desirable targets for external recruiters. The same is true for undesirable assignments; managers also should spread those among the whole team, which can demonstrate that everyone is treated fairly. A thoughtful delegating process helps keep the assurance team challenged and motivated, thereby reducing the likelihood of losing promising but insufficiently challenged staff members.

Initial parameters need to be established to prevent misunderstandings, deficient productivity, or delays in the timely completion of examinations. All parties involved should have a clear understanding of the delegated assignment and of expectations. However, managers should refrain from giving excessively detailed instructions. Successful delegating does not mean micromanaging anyone. Instead, managers should consider focusing on discussing the objectives, scope, and outcomes of the assignment. When examiners are allowed the flexibility and freedom to perform their work, they not only learn more but also may show considerable ingenuity. Managing CFEs can foster an environment of participative management by encouraging input from subordinates toward refining the plans, expectations, and deadlines, as well as emphasize how the present investigation fits into the larger scheme. When a team member sees the whole process rather than only a part, he or she is less likely to miss a critical matter and may become more motivated to deliver a quality product.

The ACFE recommends that the CFE engagement manager should give his or her subordinates authority to operationally pursue their assignment and to make decisions as they see fit. Delegating the authority is no less important than assigning the responsibility for a task. In the absence of conferring an appropriate level of authority, the team member’s performance could be undercut. Also, examination managers should keep an open mind by welcoming new ideas, innovative suggestions, and alternative proposals from others. Nothing is more motivating for a subordinate than to realize that he or she has a significant ownership stake in the results. This is another reason why managers should delegate as much of an entire assignment, rather than a small portion, as possible. Doing so can help instill a sense of importance and self-esteem for the staff investigator no matter what the number of years of their experience.

Communication is an essential element of successful delegating, and regular updates about progress, results, and deadlines should occur weekly, or sometimes daily, depending on the staff member’s level of experience and the type of assignment. Meetings can be conducted face-to-face, by phone, or through videoconferencing and do not always have to be long to be effective.

As managers check on progress, they should be supportive rather than intrusive and avoid putting a subordinate on the defensive by being too critical. Managers also should allow for communication flexibility by encouraging more immediate contact between progress meetings in the event a matter requiring urgent attention unexpectedly develops.

Any significant delegated assignment should culminate with a constructive evaluation of the subordinate’s performance. Often, there is a tendency to view the simple act of delegation itself as work done. As an old colleague of mine used to say, “A task delegated is a task completed.” Even in a case where the smaller scope of a subordinate’s assignment does not merit an exit session, it is still a boost for team morale to give recognition and show gratitude for the work done.

I have never met an experienced (and successful) CFE investigation team leader who did not embrace the role and significance of delegating. However, the ability to delegate depends on trust, communication, and encouragement. When delegating, assurance managers need to accept the risk that mistakes can and will occur and remember that professionals can learn from their mistakes. Not only is valuable experience gained by the investigative team, but the manager’s time also is freed up for more critical tasks and projects. In the long run, a commitment to delegation serves to strengthen any team of investigators as well as benefit our client organization, whatever and wherever that might be.

Then & Now

I was chatting over lunch last week at the John Marshal Hotel here in Richmond with a former officer of our Chapter when the subject of interviewing came up; interviewing generally, but also viewed in the context of the challenges and obstacles that fraud examiners of the next generation will face as they increasingly confront their peers, the present and future fraudsters of the Millennial and Z generations.

Joseph Wells says somewhere, in one of his excellent writings, that skill as an interviewer is one of the most important attributes that a CFE or forensic accountant can possess and probably the one of all our skills most worthy of on-going cultivation. But, as with any other professional craft, there are common pitfalls of which newer professionals especially need to be aware to increase their chances of successfully achieving their interviewing objectives.

Failure to plan sufficiently is without a doubt, the primary error interviewers make. It seems that the more experience an interviewer has, the less he or she prepares. Whether because of busyness or overconfidence, this pitfall spells disaster. Not only does efficiency suffer because the interviewer might have to schedule another interview, but effectiveness suffers because the interviewer might never discover needed information. Fraudsters often take time before interviews to prepare answers to anticipated questions. The ACFE reports having briefed career criminals on their tactics, thoughts and behaviors about interviews, and they typically respond, “I had my routines that I was going to run down on them” and “I always had my story made up”.

During his or her planning for an interview, the CFE must carefully consider the interviewee’s role in the fraud and his or her relationship to the fraudster (if the interviewee isn’t the fraudster), available information, desired outcomes from the interview and primary interview strategy plus alternate, viable strategies. The success or failure of the interview is determined prior to the time the interviewer walks into the room. Either the interviewer is part of his or her own plan or she is part of someone else’s. The CFE, not the interviewee, has to control the interview.

An interviewer whose mind is made up before an interview even begins is courting danger. Confirmation bias (also known as confirmatory bias or myside bias) greatly decreases the likelihood that an interviewer dismisses, ignores or filters any contradictory information during an interview, whether the interviewee expresses it verbally or non-verbally. Thus, interviewers might not even be aware that they’re missing important information that could increase the examination’s effectiveness.

How many times have experienced practitioners been told by colleagues that they believed that particular interviewees were guilty only to later discover they were actually innocent? If such practitioners hadn’t been aware that their colleagues could have caused them to have confirmation bias, they might have dismissed contradictory interviewee behaviors during subsequent interviews as minor aberrations. It’s imperative that the interviewer maintain an open mind, which isn’t so much a skill set as an attitude. The effective interviewer gives the interviewee a chance by looking at all the data, listening to others and theorizing a hypothesis without precluding anything. Also, the ACFE tells us, if the interviewer maintains an open mind, the interviewee will perceive it and be more cooperative.

A guiding principle should be, the interview is not about the CFE; the CFE is conducting the interview. The interview is a professional encounter. If you don’t conduct the interview, someone else can conduct it, but the interviewee remains the same. Interviewers are replaceable; interviewees aren’t. Never lose sight of this foundational truth. If the interviewer personalizes the interview process s/he will focus on his or her inward emotions rather than on the interviewee’s verbal and non-verbal behavior. An interviewer’s unfettered emotions will have a debilitating impact on a number of levels.

If the interviewer becomes personally involved in an interview, the interviewer becomes the interviewee and the interviewee becomes the interviewer. Most of us want to search for connections to others. But if we connect too strongly, we will become so similar (at least in our own minds) to interviewees that we might have difficulty believing the interviewee is guilty or is providing inaccurate information. Once that occurs, the interviewer probably wont obtain necessary evidence or could discount incriminating evidence.

Before each interview, remind yourself that your objective is to collect evidence in a dispassionate manner; you won’t become emotionally involved. Focus on the overall objective of the interview so that you won’t be caught up in details that could connect you too closely with the interviewee. If, for example, you discover that the interviewee is from the same part of the country you’re from, remind yourself of the many persons you know who also are from that area so you’ll dilute the influence that this information could have on your interview.

With regard to interviewing members of the present and up-and-coming generation, a majority of our youngest future citizens spend an inordinate amount of time looking at plastic screens as a significant mode for learning, communicating, being entertained and experiencing the world instead of interacting directly with others in the same space and time. This places novice CFE interviewers at a disadvantage because they have been formally trained that much of the communication between an interviewer and an interviewee takes place non-verbally. Concurrently, the verbal aspects of communication are replete with meta-messages. For example, what kind of impression does an individual make whose voice inflection rises or falls at the end of a sentence? Can this inflection be as adequately and consistently communicated via a text message compared to in-person communication? This example (and there are many more) contains the essence of the interviewing process. Unfortunately, nuances, interpersonal communication subtleties and appropriate responses that were previously thought to be integral parts of the social modeling process aren’t as readily available to the current generation of interviewers and interviewees as they were to previous generations. Research has shown that electronic devices, such as tablets, cellphones and laptops shorten attention spans. Web surfers usually spend no more than 10 to 20 seconds on a page before ads or links distract them and they move on to burrow down into succeeding rabbit holes.

A great deal of communication now takes place via 244-character communication snippets on Twitter. The average person checks his or her phone once every six minutes. Psychologists have recently coined the term ‘nomophobia’, the fear of being out of cellphone contact; shortened from ‘no-mobile-phone-phobia. A 2015 global study reported that students’ ‘addiction’ to media is similar to drug cravings.

The attention span of the average adult is believed to have fallen from 12 minutes in 1998 to five minutes in 2014. If interviewees’ attentive capacities are just five minutes, or less, then after that point interviews provide diminishing returns. Our attention deficits probably result from a lack of self-discipline and the delusional belief that we can cognitively multi-task. We can’t do anything about our natural limitations, but we can discipline ourselves to pay attention. We can also plan and conduct our interviews with few distractions. Interviewers new and experienced should require that all participants turn off their cellphones and, when possible, interviewers should try to ask questions in an unpredictable order.

So, we can expect that a new generation of fraud examiners will soon be interviewing individuals for extended periods of time who have as much of a dearth of direct, face-to-face interpersonal communication as they do. At the extreme, we can envision two or more uncomfortable people in an interview room. All of whom can only remain in the moment for five minutes or less and are fidgety because they need plastic-screen fixes.

An additional challenge will be that CFEs of the Millennial and Z generations will soon be spending hours interviewing older interviewees who are more familiar, explicitly and implicitly, with the subtleties of interpersonal communication. These are people who have spent significantly more time in direct, face-to-face communication. The interpersonal communication-challenged interviewer will be at a significant disadvantage when interviewing guilty, guilty-knowledge, deceptive and/or antagonistic interviewees. As my lunch companion pointed out, many experienced fraudsters are master manipulators of inexperienced interviewers.

It is urgent that younger fraud examiners and forensic accountants be instructed in the strongest terms to put down their plastic screens and practice engagement with others in direct communication, with friends, family and those who cross their paths in the normal flow of life. As a lead CFE examiner or supervisor, encourage your younger employee-colleagues to write down their communication goals for each day. Suggest they read all they can on face-to face interviewing and questioning plus verbal and non-verbal behaviors. They can take interviewing and public-speaking classes or join a toastmasters group. Anything to get them to converse and observe body language and expressions.

Interviewing techniques are the vehicles that ride up and down the road of interpersonal communication. If that road isn’t adequate, then drivers can’t maneuver their vehicles. Your younger employees are the only persons who can bring themselves up to the necessary interpersonal speed limit to make their one-on-one interviews successful.

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm  the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely  get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

Beyond the Sniff Test

Many years ago, I worked with a senior auditor colleague (who was also an attorney) who was always talking about applying what he called “the sniff test” to any financial transaction that might represent an ethical challenge.   Philosophical theories provide the bases for useful practical decision approaches and aids like my friend’s sniff test, although we can expect that most of the executives and professional accountants we work with as CFEs are unaware of exactly how and why this is so. Most seasoned directors, executives, and professional accountants, however, have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis. To their minds, if these preliminary tests give rise to concerns, a more thorough analysis should be performed using any number of defined approaches and techniques.

After having heard him use the term several times, I asked my friend him if he could define it.  He thought about it that morning and later, over lunch, he boiled it down to a series of questions he would ask himself:

–Would I be comfortable as a professional if this action or decision of my client were to appear on the front page of a national newspaper tomorrow morning?
–Will my client be proud of this decision tomorrow?
–Would my client’s mother be proud of this decision?
–Is this action or decision in accord with the client corporation’s mission and code?
–Does this whole thing, in all its apparent aspects and ramifications, feel right to me?

Unfortunately, for their application in actual practice, although sniff tests and commonly used rules are based on ethical principles and are often preliminarily useful, they rarely, by themselves, represent a sufficiently comprehensive examination of the decision in question and so can leave the individuals and client corporations involved vulnerable to making unethical decisions.  For this reason, more comprehensive techniques involving the impact on client stakeholders should be employed whenever a proposed decision is questionable or likely to have significant consequences.

The ACFE tells us that many individual decision makers still don’t recognized the importance of stakeholder’s expectations of rightful conduct. If they did, the decisions made by corporate executives and by accountants and lawyers involved in the Enron, Arthur Andersen, WorldCom, Tyco, Adephia, and a whole host of others right up to the present day, might have avoided the personal and organizational tragedies that occurred. Some executives were motivated by greed rather than by enlightened self-interest focused on the good of all. Others went along with unethical decisions because they did not recognize that they were expected to behave differently and had a duty to do so. Some reasoned that because everyone else was doing something similar, how could it be wrong? The point is that they forgot to consider sufficiently the ethical practice (and duties) they were expected to demonstrate. Where a fiduciary duty was owed to future shareholders and other stakeholders, the public and personal virtues expected (character traits such as integrity, professionalism, courage, and so on), were not sufficiently considered. In retrospect, it would have been wise to include the assessment of ethical expectations as a separate step in any Enterprise Risk Management (ERM) process to strengthen governance and risk management systems and guard against unethical, short-sighted decisions.

It’s also evident that employees who continually make decisions for the wrong reasons, even if the right consequences result, can represent a high governance risk.  Many examples exist where executives motivated solely by greed have slipped into unethical practices, and others have been misled by faulty incentive systems. Sears Auto Center managers were selling repair services that customers did not need to raise their personal commission remuneration, and ultimately caused the company to lose reputation and future revenue.  Many of the classic financial scandals of recent memory were caused by executives who sought to manipulate company profits to support or inflate the company’s share price to boost their own stock option gains. Motivation based too narrowly on self-interest can result in unethical decisions when proper self-guidance and/or external monitoring is lacking. Because external monitoring is unlikely to capture all decisions before implementation, it is important for all employees to clearly understand the broad motivation that will lead to their own and their organization’s best interest from a stakeholder perspective.

Consequently, decision makers should take motivations and behavior expected by stakeholders into account specifically in any comprehensive ERM approach, and organizations should require accountability by employees for those expectations through governance mechanisms. Several aspects of ethical behavior have been identified as being indicative of mens rea (a guilty mind).  If personal or corporate behavior does not meet shareholder ethical expectations, there will probably be a negative impact on reputation and the ability to reach strategic objectives on a sustained basis in the medium and long term.

The stakeholder impact assessment broadens the criteria of the preliminary sniff test by offering an opportunity to assess the motivations that underlie the proposed decision or action. Although it is unlikely that an observer will be able to know with precision the real motivations that go through a decision maker’s mind, it is quite possible to project the perceptions that stakeholders will have of the action. In the minds of stakeholders, perceptions will determine reputational impacts whether those perceptions are correct or not. Moreover, it is possible to infer from remuneration and other motivational systems in place whether the decision maker’s motivation is likely to be ethical or not. To ensure a comprehensive ERM approach, in addition to projecting perceptions and evaluating motivational systems, the decisions or actions should be challenged by asking such questions as:

Does the decision or action involve and exhibit the integrity, fairness, and courage expected? Alternatively, does the decision or action involve and exhibit the motivation, virtues, and character expected?

Beyond the simple sniff test, stakeholder impact analysis offers a formal way of bringing into a decision the needs of an organization and its individual constituents (society). Trade-offs are difficult to make, and can benefit from such advances in technique. It is important not to lose sight of the fact that the concepts of stakeholder impact analysis need to be applied together as a set, not as stand-alone techniques. Only then will a comprehensive analysis be achieved and an ethical decision made.

Depending on the nature of the decision to be faced, and the range of stakeholders to be affected, a proper analysis could be based on any of the historical approaches to ethical decision making as elaborated by ACFE training and discussed so often in this blog.  A professional CFE can use stakeholder analysis in making decisions about financial fraud investigations, fraud related accounting issues, auditing procedures, and general practice matters, and should be ready to prepare or assist in such analyses for employers or clients just as is currently the case in other areas of fraud examination. Although many hard-numbers-oriented executives and accountants will be wary of becoming involved with the “soft” subjective analysis that typifies stakeholder and ethical expectations analysis, they should bear in mind that the world is changing to put a much higher value on non-numerical information. They should be wary of placing too much weight on numerical analysis lest they fall into the trap of the economist, who, as Oscar Wilde put it: “knew the price of everything and the value of nothing.”

The CFE, Management & Cybersecurity

Strategic decisions affect the ultimate success or failure of any organization. Thus, they are usually evaluated and made by the top executives. Risk management contributes meaningfully and consistently to the organization’s success as defined at the highest levels. To achieve this objective, top executives first must believe there is substantial value to be gained by embracing risk management. The best way for CFEs and other risk management professionals to engage these executives is to align fraud risk management with achievement (or non-achievement) of the organization’s vital performance targets, and use it to drive better decisions and outcomes with a higher degree of certainty.

Next, top management must trust its internal risk management professional as a peer who provides valuable perspective. Every risk assurance professional must earn trust and respect by consistently exhibiting insightful risk and performance management competence, and by evincing a deep understanding of the business and its strategic vision, objectives, and initiatives. He or she must simplify fraud risk discussions by focusing on uncertainty relative to strategic objectives and by categorizing these risks in a meaningful way. Moreover, the risk professional must always be willing to take a contrarian position, relying on objective evidence where readily available, rather than simply deferring to the subjective. Because CFEs share many of these same traits, the CFE can help internal risk executives gain that trust and respect within their client organizations.

In the past, many organizations integrated fraud risk into the evaluation of other controls. Today, per COSO guidance, the adequacy of anti-fraud controls is specifically assessed as part of the evaluation of the control activities related to identified fraud risks. Managements that identify a gap related to the fraud risk assessments performed by CFEs and work to implement a robust assessment take away an increased focus on potential fraud scenarios specific to their organizations. Many such managements have implemented new processes, including CFE facilitated sessions with operating management, that allow executives to consider fraud in new ways. The fraud risk assessment can also raise management’s awareness of opportunities for fraud outside its areas of responsibility.

The blurred line of responsibility between an entity’s internal control system and those of outsourced providers creates a need for more rigorous controls over communication between parties. Previously, many companies looked to contracts, service-level agreements, and service organization reports as their approach to managing service organizations. Today, there is a need to go further. Specifically, there is a need for focus on the service providers’ internal processes and tone at the top. Implementing these additional areas of fraud risk assessment focus can increase visibility into the vendor’s performance, fraud prevention and general internal control structure.

Most people view risk as something that should be avoided or reduced. However, CFEs and other risk professionals realize that risk is valued when it can help achieve a competitive advantage. ACFE studies show that investors and other stakeholders place a premium on management’s ability to limit the uncertainty surrounding their performance projections, especially regarding fraud risk. With Information Technology budgets shrinking and more being asked from IT, outsourcing key components of IT or critical business processes to third-party cloud based providers is now common. Management should obtain a report on all the enterprise’s critical business applications and the related data that is managed by such providers. Top management should make sure that the organization has appropriate agreements in place with all service providers and that an appropriate audit of the provider’s operations, such as Service Organization Controls (SOC) 1 and SOC 2 assurance reports, is performed regularly by an independent party.

It’s also imperative that client management understand the safe harbor clauses in data breach laws for the countries and U.S. states where the organization does business.  In the United States, almost every state has enacted laws requiring organizations to notify the state in case of a data breach. The criteria defining what constitutes a data breach are similar in each state, with slight variations.

CFE vulnerability assessments should strive to impress on IT management that it should strive to make upper management aware of all major breach attempts, not just actual incidents, made against the organization. To see the importance of this it’s necessary only to open a newspaper and read about the serious data breaches occurring around the world on almost a daily basis. The definition of major may, of course, differ, depending on the organization’s industry and whether the organization is global, national, or local.  Additionally, top management and the board should plan to meet with the organization’s chief information security officer (CISO) at least once a year. This meeting should supplement the CFE’s annual update of the fraud risk assessment by helping management understand the state of cybersecurity within the organization and enabling top managers and directors to discuss key cybersecurity topics. It’s also important that the CISO is reporting to the appropriate levels within the organization. Keep in mind that although many CISOs continue to report within the IT organization, sometimes the chief information officer’s agenda conflicts with the CISO’s agenda. As such, the ACFE reports that a better reporting arrangement to promote independence is to migrate reporting lines to other officers such as the general counsel, chief operating officer, chief risk officer (CRO), or even the CEO, depending on the industry and the organization’s degree of dependence on technology.

As a matter of routine, every organization should establish relationships with the appropriate national and local authorities who have responsibility for cybersecurity or cybercrime response. For example, boards of U.S. companies should verify that management has protocols in place to guide contact with the Federal Bureau of Investigation (FBI) in case of a breech; the FBI has established its Key Partnership Engagement Unit, a targeted outreach program to senior executives of major private-sector corporations.

If there is a Chief Risk Officer (CRO) or equivalent, upper management and the board should, as with the CISO, meet with him or her quarterly or, at the least, annually and review all the fraud related risks that were either avoided or accepted. There are times when a business unit will identify a technology need that its executive is convinced is the right solution for the organization, even though the technology solution may have potential security risks. The CRO should report to the board about those decisions by business-unit executives that have the potential to expose the organization to additional security risks.

And don’t forget that management should be made to verify that the organization’s cyber insurance coverage is sufficient to address potential cyber risks. To understand the total potential impact of a major data breach, the board should always ask management to provide the cost per record of a data breach.

No business can totally mitigate every fraud related cyber risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Cyber risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation between its management and supporting professionals, a conversation whose importance requires participation by an organization’s audit committee and other board members, with the CFE and the CISO serving increasingly important roles.

Team Work is Hard Work

From reading posts and comments posted to LinkedIn, it seems that a number of our Chapter members and guests from time to time find themselves involved in internal fraud investigations either as members of internal or external audit units or as sole practitioners.  As CFE’s we know that we can make significant contributions to a financial crime investigation, if we can work effectively, as team members, with the victim company’s internal and external auditors, as well as with other constituents involved in resolving allegations or suspicions of internal fraud. In addition to a thorough knowledge of accounting and auditing, CFE’s bring to bear a variety of skills, including interviewing, data mining and analysis.  We also know that some auditors assume that simply auditing more transactions, with the use of standard procedures, increases the likelihood that fraud will be found. While this can prove to be true in some cases, when there is suspicion of actual fraud, the introduction of competent forensic accounting investigators may be more likely to resolve the issue and bring it to a successful conclusion.

Within the boundaries of an investigation, we CFE’s typically deal with numerous constituencies, each with a different interest and each viewing the situation from a different perspective. These parties to the investigation may well attempt to influence the investigative process, favor their individual concerns, and react to events and findings in terms of personal biases. CFE’s thus often have the task of conveying to all constituencies that the results of the investigation will be more reliable if all participants and interested parties work together as a team and contribute their specific expertise or insight with objectivity. In the highly-charged environment created by a financial crime investigation, the forensic accounting investigator can make a huge contribution just by displaying and encouraging the balance and level headedness which comes from his or her detailed familiarity with the mechanics of the standard types of financial fraud.

The ACFE recommends that all parties with a stake in the process, management, audit committee, auditors, and legal counsel, should always consider including forensic accounting investigators in the front-end process of decision making about an investigation. One of the key initial decisions is, usually, the degree to which the forensic accounting investigators can work with and rely on the work of others, specifically, the internal and external auditors. Another common front-end decision is whether CFE’s—with their knowledge of accounting systems, controls, and typical fraud schemes, may be added to the team that eventually evaluates the organization’s business processes to strengthen the controls that allowed the fraud to occur. Management may at first be inclined to push for a quick result because it feels the company will be further damaged if it continues to operate under a shadow.

Senior executives may be unable or in some cases unwilling to see the full scope of issues and may attempt to limit the investigation, sometimes as a matter of self-protection, or they may seek to persuade the CFE that the issues at hand are immaterial. Whatever happened, it happened on their watch, and they may understandably be very sensitive to the CFE’s intrusion into their domain. Any defensiveness on the part of management should be defused as quickly and as thoroughly as possible, usually through empathy and consideration on the part of the forensic accounting investigator. The party or entity engaging the forensic accounting investigator, for example, the audit committee, management, or counsel, should be committed to a thorough investigation of all issues and is ultimately responsible for the investigation. The committee may engage CFE’s and forensic accounting investigators directly and look to them for guidance, or it may ask outside counsel to engage the CFE, who usually will work at counsel’s direction in fulfilling counsel’s responsibilities to the audit committee.

Every CFE should strive to bring independence and objectivity to the investigation and strive to assist each of the interested parties to achieve their unique but related objectives. As to the CFE’s  objectives, those are determined by the scope of work and the desire to meet the goals of whoever retained their services. Regardless of the differing interests of the various constituencies, forensic accounting investigators must typically answer the following questions:

  • Who is involved?
  • Could there be coconspirators?
  • Was the perpetrator instructed by a higher supervisor not currently a target of the investigation?
  • How much is at issue or what is the total impact on the financial statements?
  • Over what period did this occur?
  • Have we identified all material schemes?
  • How did this happen?
  • How was it identified, and could it have been detected earlier?
  • What can be done to deter a recurrence?

CFE’s should always keep in mind that they are primarily fact finders and not typically engaged to reach or provide conclusions, or, more formally, opinions. This differs from the financial auditor’s role. The financial auditor is presented with the books and records to be audited and determines the nature, extent, and timing of audit procedures. On one hand, the financial statements are management’s responsibility, and an auditor confirms they have been prepared in accordance with generally accepted accounting principles after completing these procedures and assessing the results. The CFE or forensic accounting investigator, on the other hand, commands a different set of skills and works at the direction of an employer that may be management, the audit committee, counsel, or an auditing firm itself.

Teaming with all concerned parties together with the internal and external auditors, the forensic accounting investigator should strive to bring independence and objectivity to the investigation and strive to assist each of the interested parties to achieve each team member’s unique but related objectives; management understandably may be eager to bring the investigation to a quick conclusion. The chief financial officer may be defensive over the fact that his or her organization allowed this to happen;   the board of directors, through the independent members of its audit committee, is likely to focus on conducting a thorough and complete investigation, but its members may lack the experience needed to assess the effort. In addition, they may be concerned about their personal reputations and liability. The board is likely to look to legal counsel and in some cases, to forensic accounting investigators to define the parameters of the project;  as to counsel, in most investigations in which counsel is involved, they are responsible for the overall conduct of the investigation and will assign and allocate resources accordingly; the internal auditor may have a variety of objectives, including not alienating management, staying on schedule to complete the annual audit plan, and not opening the internal audit team to criticism. The internal audit team may also feel embarrassed, angry, and defensive that it did not detect the wrongdoing; the external auditor may have several concerns, including whether the investigative team will conduct an investigation of adequate scope, whether the situation suggests retaining forensic accountants from the auditors’ firm, whether forensic accountants should be added to the audit team, and even whether the investigation will implicate the quality of past audits.

In summary, team work is complex, hard work.  While fraud is not an everyday occurrence at most companies, boards and auditing firms should anticipate the need to conduct a financial fraud investigation at some time in the future.  CFE’s can be an integral part of the planning for such investigations and can be of great help in designing the pre-planned team work protocols that ensure that, if a fraud exists, there is a high probability that it will be identified completely and dealt with in a timely and appropriate manner.

Inside and Out

I had quite a good time a little over a month ago, addressing a senior auditing class at the University of Richmond on the topic of how fraud examiners and forensic accountants can work jointly together, primarily with a client’s internal auditors and, secondarily with its external auditors, to substantially strengthen any fraud investigation assignment.

Internal and external auditors each play an important role in the governance structure of their client organizations. Like CFEs, both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, as I told the very lively class, both types of auditors operate independently of the activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks faced by the organizations they serve. Yet, with all their similarities, internal auditing and external auditing are two distinct functions that have numerous differences. The Institute of Internal Auditors (IAA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Internal auditors in the public sector (where I spent most of my audit career as a CIA) place an additional emphasis on providing assurance on performance and compliance with policies and procedures. Concerned with all aspects of the organization – both financial and non-financial – the internal auditors focus on future events because of their continuous review and evaluation of controls and processes.

In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period are represented accurately, and whether the financial statements have been affected materially (i.e., whether they include a misstatement that is likely to influence the economic decisions of financial statement users). External auditing’s approach is mainly historical in nature, although some forward-looking improvements may be suggested in the auditors’ recommendations to management based on the analysis of controls during a financial statement audit.

I emphasized to the students that these definitions alone pinpoint the key distinctions that separate the two audit approaches. However, internal auditing is much broader and more encompassing than external auditing. Its value resides in the function’s ability to look at the underlying operations that drive the financial numbers before those numbers hit the books. For instance, when considering “sales” as a line item in a set of financial statements, the external audit focuses primarily on the existence, completeness, accuracy, classification, timing, posting and summarization of sales numbers. The internal audit goes beyond these assertions and looks at sales operations in a much broader context by asking questions regarding the target market, sales plan, organizational structure of the sales department, qualifications of sales personnel, effectiveness of sales operations, measurement of sales performance, and compliance with sales policies.

These types of questions probe the very core of sales operations and can greatly impact the sales numbers recorded in financial statements. For example, assuming a sales number of $6 million, the external auditor has merely to render an opinion regarding the validity of that number. The internal auditor, however, can ask whether the number could  have really been $12 million, if only the right market had been targeted, and if operations had been effective in the first place. It’s this emersion in detail and the overall knowledge of operations that makes the internal auditor such a strong partner for the fraud examiner in any joint investigation.

Internal auditors represent an integral part of the organization – their primary clients are management and the board. Although historically internal auditors reported to the chief financial officer or other senior management staff, for the last two decades internal auditing has reported directly to the audit committee of the board of directors, which helps strengthen auditor independence and objectivity. Today, internal audit functions, for the most part, follow this reporting relationship, which is consistent with the IIA’s Standard on Organizational Independence.

The chief audit executive’s (CAE’s) appointment is normally meant to be permanent, unless he or she resigns or is dismissed. In some quasi and intergovernmental organizations, CAEs are given tenured positions – five-year appointments, for example – to enhance independence.  Conversely, external auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by their main client, the board of directors. External auditors are appointed by the board, and they submit an annual report to the company’s shareholders. The appointment is meant to extend for a specified time – external auditors can be re-appointed at the company’s annual general meeting. In some jurisdictions, there are limits on an external auditor’s length of service, often five or seven years.

In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations’ discretion but internal auditing is mandatory in some cases. Companies listed on the New York Stock Exchange must have an internal audit function, whether in-house or outsourced.  An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature.

The necessary qualifications for an internal auditor rest solely on the judgment of the employer. Although internal auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them abundantly qualified to perform internal auditing. Annually, more and more internal auditors hold the IIA’s Certified Internal Auditor designation, which demonstrates competency and professionalism in the field of internal auditing. Because of their continuous investigation into all the organization’s operating systems, internal auditors who remain in the same organization for many years constitute a unique resource to the CFE of comprehensive and current knowledge of the organization and its operations.

External auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law – for example, the Institute of Chartered Accountants in England and Wales, American Institute of Certified Public Accountants, or Canadian Institute of Chartered Accountants.  Because external auditors’ scope of work is narrowly focused on financial statement auditing, and they come into the organization only once or twice a year, their knowledge of the organization’s operations is unlikely to be as extensive as that of the internal auditors.

Those entering the CFE profession need to realize that patterns of business growth, globalization, and corporate scandals have changed the thrust of the internal audit profession in recent years. In its early years, internal auditing focused on protection oriented objectives and emphasized compliance with accounting and operational procedures, verification of calculation accuracy, fraud detection and protection of assets. Gradually, new dimensions were added that ranged from an evaluation of financial and compliance risks to an assessment of business risks, ethics and corporate governance. These changes have only increased the gap between the disciplines of internal and external auditing. Yet, despite their differences, internal auditing and external auditing no longer work in competition, as was the case before the U.S. Sarbanes-Oxley Act was enacted, when a company’s external auditors would sometimes compete with in-house audit departments for internal audit work. Regulations like Sarbanes-Oxley prohibited the external auditor from providing both external and internal audit services to the same company. Today all CFEs can benefit from the complementary skills, areas of expertise, and perspectives of both the external and the internal auditors.  The ACFE recommends that to strengthen the fraud prevention program they should meet periodically to discuss common interests (like the fraud prevention program), strive to understand each other’s scope of work and methods, discuss audit coverage and scheduling to minimize redundancies, jointly assess areas of fraud risk, and provide access to each other’s reports, programs, and work papers.

In summary, fulfilling its oversight responsibilities for assurance, the board also should require internal and external auditors to coordinate their audit work to increase the economy, efficiency, and effectiveness of the overall audit process. Despite some similarities, a world of difference exists between internal auditing and external auditing. Nonetheless, both audit types, and the respective services they provide, are essential to maintaining an effective governance structure. With a greater understanding of the unique perspective of each, CFEs can maximize the aggregate contribution or each to our joint investigations and thereby ensure organizational success.

Exploiting the Dual

businessmeet1Many of today’s CFE’s hold dual certifications as CPA’s, CIA’s, CISA’s and a host of others.  This proven enhanced expertise endows the employers of fraud examiners engaged as full time corporate auditing staff with a whole host of new and exciting fraud detection and prevention capabilities.  This is especially true of corporations whose operations are daily fraud targets.  Rather than dealing with the infrequent single instance of fraud, as is most often the case in conventional CFE practice, these staff practitioners endow their employers with enhanced power in the task of devising investigative and preventative approaches to cope with random, most often automated, fraud attempts arriving on a recurring basis, twenty-four hours a day, 365 days a year.

One of the most effective innovations that dually certified CFE’s can bring to bear in such dynamic fraud environments involves some version of a mixture of continuous monitoring, continuous fraud auditing and continuous assurance. As the external and internal auditing professions view the first of these general concepts, continuous monitoring constitutes a feedback mechanism, primarily used by management, to ensure that systems operate and transactions are processed as prescribed. For example, as one of hundreds of possible examples, management might mandate that its staff CFE (s) periodically monitor the key fraud prevention controls that ensure that customer orders are checked against credit limits to ensure that the controls remain in place and aren’t deactivated.

Continuous auditing for fraud has been defined as the collection of evidence concerning fraud scenarios, by one or more examiners, on systems and transactions, on a continuous basis throughout a temporal period. For example, the staff examiners could routinely extract details of any unusually large adjusting journal entry for investigation, validate the reasons for the entry, determine whether it had been approved, and document these findings. The historical case file of irregularities will be built up from this and like evidence and from its related investigation, as will the examiner’s knowledge of the landscape of on-going fraud threats confronting the business.

Continuous fraud control assurance can even provide a concurrent or on demand assurance opinion on systems or transactions. A continuous opinion could represent an examiner’s or auditor’s opinion that overall fraud prevention controls are operating satisfactorily, unless a report is given to the contrary (often referred to as an ‘evergreen’ fraud control report). On-demand assessment concerning the functioning of key anti-fraud controls can be called for at any time to provide a spot evaluation at a point that does not necessarily coincide with a fiscal year or month-end. For example, a potential investor or lender might want to know the state of a company’s fraud prevention controls on the day that he/she makes a final investing or lending decision. Although these types of control assessments are still relatively rare, it’s possible that, given the pervasiveness of fraud in some heavily automated financial industries, the demand for this type of assessment may accelerate in the future.

Each of these three elements are built upon (and depend on) the one that precedes it. A continuous process of fraud assessment needs continuous monitoring systems to be in place to be effective. These monitoring systems provide the evidence to be collected and assessed upon which to build management assurance.

One of the biggest benefits of a program of continuous fraud control assessment is the beneficial effect it can have on an employing organization’s overall fraud control program. It’s obvious that, with continuous assessment, any key fraud control failures are detected and fixed as soon as they occur, bringing the effectiveness of the failed controls again more closely into conjunction with management’s expectations.  An additional plus for the continuous fraud control evaluation approach is that it provides early warning of problems; employing management can be apprised of a control failure as soon as it happens, providing maximum rectification time. Early warning reduces rectification downtime for the control. The objective is for the external auditors, when they later perform their checks, to find that the control weakness identified by the staff fraud examiner is now corrected and the corrected control operative as of the sign-off date, thus avoiding audit points.  One more advantage conferred by the presence of a dually certified fraud examiner on the audit staff is that many of the controls critical to the anti-fraud program can be fully automated under the CFE’s supervision and thus lend themselves to a continuous review approach. This proactive ‘no surprises’ approach to fraud control should be attractive to all organizations considering employing those holding the CFE certification as either staff auditors or security professionals.

What does it take for management to get this fraud prevention approach off the ground?  First, hire more dually certified CFE’s.  Next, automation is key to the program’s success, especially emphasizing data mining and analytics. Technology that can speed up communication is also needed, because there is no value in identifying an issue quickly if it is not communicated equally quickly to those who need to know about it. Continuous auditing for fraud includes continuous monitoring and reporting by exception on problems that arise. Therefore, the control environment of the employing organization must be at least good enough to ensure that the number of exceptions detected is not initially overwhelming. If anti-fraud controls are at a semi-mature level of effectiveness, however, there is really no reason why, with effort, a continuous assurance approach can’t work.

In setting up continuous audit tests, CFE’s must understand what can go wrong and know what they are looking for, in advance; this is a point where dual certification as an experience CPA or CIA is a plus in guiding the testing process and for creating the business rules for detecting exceptions and understanding them. This latter point is no trivial matter since something that could seem an exception under one set of circumstances, can be perfectly normal under a different set and trained financial assurance professionals know the difference.

Creatively employing their dually certified CFEs in an enhanced fraud detection and prevention effort based on the continuous audit approach confers several benefits to any management while enhancing the fraud prevention program:

–Creation of a database of the most frequently occurring fraud scenarios coupled with the most effective audit approaches to investigate and resolve them;

–Development of tailored data analytics and investigative tools for common fraud scenarios; auditors can get the fraud related data they need when they want them;

— Faster and more thorough fraud examinations and greater depth of audit for the same cost;

— Investigation and resolution of fraud related issues as they occur is a proven proactive approach demonstrating an enhanced level of management due diligence;

— The entire audit staff can have more alternatives in the way they perform fraud related work, including reliance on preventive controls like front end systems edits which prevent fraud be screening out transactions likely to contain fraud on the system’s front end.

–Because fraud related auditing is more effective it becomes more visible for those being audited both within and without the enterprise. Senior management has first-hand knowledge that auditors are ‘on the case’ even if they do not see them every day of the week. This visibility can also act as an additional deterrent to frauds, both internal and external.