Category Archives: Continuous Fraud Auditing

Fraud Detection-Fraud Prevention

One of our CFE chapter members left us a contact comment asking whether concurrent fraud auditing might not be a good fraud prevention tool for use by a retailer client of hers that receives hundreds of credit card payments for services each day. The foundational concepts behind concurrent fraud auditing owe much to the idea of continuous assurance auditing (CAA) that internal auditors have applied for years; I personally applied the approach as an essential tool throughout by carrier as a chief audit executive (CAE). Basically, the heart of a system of concurrent fraud auditing (CFA) like that of CAA is the process of embedding control based software monitors in real time, automated financial or payment systems to alert reviewers of transactional anomalies in as close to their occurrence as possible. Today’s networked/cloud based processing environments have made the implementation and support of such real time review approaches operationally feasible in ways that the older, batch processing based environments couldn’t.

Our member’s client uses several on-line, cloud based services to process its customer payments; these services provide our member’s client with a large database full of payment history, tantamount to a data warehouse, all available for use on SQL server, by in-house client IT applications like Oracle and SAP. In such a data rich environment, CFE’s and other assurance professionals can readily test for the presence of transactional patterns characteristic of defined, common payment fraud scenarios such as those associated with identity theft and money laundering. The objective of the CFA program is not necessarily to recover the dollars associated with on-line frauds but to continuously (in as close to real time as possible) adjust the edits in the payment collection and processing system so that certain fraudulent transactions (those associated with known fraud scenarios) stand a greater chance of not even getting processed in the first place. Over time, the CFA process should get better and better at editing out or flagging the anomalies associated with your defined scenarios.

The central concept of any CFA system is that of an independent application monitoring for suspected fraud related activity through, for example (as with our Chapter member), periodic (or even real time) reviews of the cloud based files of an automated payment system. Depending upon the degree of criticality of the results of its observations, activity summaries of unusual items can be generated with any specified frequency and/or highlighted to an exception report folder and communicated to auditors via “red flag” e-mail notices. At the heart of the system lies a set of measurable, operational metrics or tags associated with defined fraud scenarios. The fraud prevention team would establish the metrics it wishes to monitor as well as supporting standards for those metrics. As a simple example, the U.S. has established anti-money-laundering banking rules specifying that all transactions over $10,000 must be reported to regulators. By experience, the $10,000 threshold is a fraud related metric investigators have found to be generic in the identification of many money-laundering fraud scenarios. Anti-fraud metric tags could be built into the cloud based financial system of our Chapter member’s client to monitor in real time all accounts payable and other cash transfer transactions with a rule that any over $10,000 would be flagged and reviewed by a member of the audit staff. This same process could have multiple levels of metrics and standards with exceptions fed up to a first level assurance process that could monitor the outliers and, in some instances, send back a correcting feedback transaction to the financial system itself (an adjusting or corrective edit or transaction flag). The warning notes that our e-mail systems send us that our mailboxes are full are another example of this type of real time flagging and editing.

Yet other types of discrepancies would flow up to a second level fraud monitoring or audit process. This level would produce pre-formatted reports to management or constitute emergency exception notices. Beyond just reports, this level could produce more significant anti-fraud or assurance actions like the referral of a transaction or group of transactions to an enterprise fraud management committee for consideration as documentation of the need for an actual future financial system fraud prevention edit. To continue the e-mail example, this is where the system would initiate a transaction to prevent future mailbox accesses to an offending e-mail user.

There is additionally yet a third level for our system which is to use the CFA to monitor the concurrent fraud auditing process itself. Control procedures can be built to report monitoring results to external auditors, governmental regulators, the audit committee and to corporate council as documented evidence of management’s performance of due diligence in its fight against fraud.

So I would encourage our member CFE to discuss the CFA approach with the management of her client. It isn’t the right tool for everyone since such systems can vary greatly in cost depending upon the existing processing environment and level of IT sophistication of the implementing organization. CFA’s are particularly useful for monitoring purchase and payment cycle applications with an emphasis on controls over customer and vendor related fraud. CFA is an especially useful tool for any financial application where large amounts of cash are either coming in or going out the door (think banking applications) and to control all aspects of the processing of insurance claims.

Cyberfraud & Business Continuity

We received an e-mail inquiry from a follower of our Chapter’s LinkedIn page last week asking specifically about recovery following a cyberfraud penetration and, in general, about disaster planning for smaller financial institutions. It’s a truism that with virtually every type of business process and customer moving away from brick-and-mortar places of business to cloud supported business transactions and communication, every such organization faces an exponential increase in the threat of viruses, bots, phishing attacks, identity theft, and a whole host of other cyberfraud intrusion risks.  All these threats illustrate why a post-intrusion continuity plan should be at or near the top of any organization’s risk assessment, yet many of our smaller clients especially remain stymied by what they feel are the costs and implementational complexity of developing such a plan. Although management understands that it should have a plan, many say, “we’ll have to get to that next year”, yet it never seems to happen.

Downtime due to unexpected penetrations, breeches and disasters of all kinds not only affect our client businesses individually, but can also affect the local, regional, or worldwide economy if the business is sufficiently large or critical. Organizations like Equifax do not operate in a vacuum; they are held accountable by customers, vendors, and owners to operate as expected. Moreover, the extent of the impact on a business depends on the products or services it offers. Having an updated, comprehensive, and tested general continuity plan can help organizations mitigate operational losses in the event of any disaster or major disruption. Whether it’s advising the organization about cyberfraud in general or reviewing the different elements of a continuity plan for fraud impact, the CFE can proactively assist the client organization on the front end in getting a cyberfraud-recovery continuity plan in place and then in ensuring its efficient operation on the back end.

Specifically, regarding the impact of cyberfraud, the ACFE tells us that, until relatively recently, many organizations reported not having directly addressed it in their formal business continuity plans. Some may have had limited plans that addressed only a few financial fraud-related scenarios, such as employee embezzlement or supplier billing fraud, but hadn’t equipped general employees to deal with even the most elemental impacts of cyberfraud.   However, as these threats increasingly loomed, and as their on-line business expanded, more organizations have committed themselves to the process of formally addressing them.

An overall business continuity plan, including targeted elements to address cyberfraud, isn’t a short-term project, but rather an ongoing set of procedures and control definitions that must evolve along with the organization and its environment. It’s an action plan, complete with the tools and resources needed to continue those critical business processes necessary to keep the entity operating after a cyber disruption. Before advising our clients to embark on such a business continuity plan project, we need to make them aware that there is a wealth of documentation available that they can review to help in their planning and execution effort. An example of such documentation is one written for the industry of our Chapter’s inquirer, banking; the U.S. Federal Financial Institutions Examination Council’s (FFIEC’s) Business Continuity Planning Handbook. And there are other such guides available on-line to orient the continuity process for entities in virtually every other major business sector.  While banks are held to a high standard of preparedness, and are subject to regular bank examination, all types of organizations can profit from use of the detailed outline the FFIEC handbook provides as input to develop their own plans. The publication encourages organizations of all sizes to adopt a process-oriented approach to continuity planning that involves business impact analysis as well as fraud risk assessment, management, and monitoring.

An effective plan begins with client commitment from the top. Senior management and the board of directors are responsible for managing and controlling risk; plan effectiveness depends on management’s willingness to commit to the process from start to finish. Working as part of the implementation team, CFEs can make sure both the audit committee and senior management understand this commitment and realize that business disruption from cyber-attack represents an elevated risk to the organization that merits senior-level attention. The goal of this analysis is to identify the impact of cyber threats and related events on all the client organizations’ business processes. Critical needs are assessed for all functions, processes, and personnel, including specialized equipment requirements, outsourced relationships and dependencies, alternate site needs, staff cross-training, and staff support such as specialized training and guidance from human resources regarding related personnel issues. As participants in this process, CFEs acting proactively are uniquely qualified to assist management in the identification of different cyberfraud threats and their potential impacts on the organization.

Risk assessment helps gauge whether planned cyberfraud-related continuity efforts will be successful. Business processes and impact assumptions should be stress tested during this phase. Risks related to protecting customer and financial information, complying with regulatory guidelines, selecting new systems to support the business, managing vendors, and maintaining secure IT should all be considered. By focusing on a single type of potential cyber threat’s impact on the business, our client organizations can develop realistic scenarios of related threats that may disrupt the cyber-targeted processes.  At the risk assessment stage, organization should perform a gap analysis to compare what actions are needed to recover normal operations versus those required for a major business interruption. This analysis highlights cyber exposures that the organization will need to address in developing its recovery plan. Clients should also consider conducting another gap analysis to compare what is present in their proposed or existing continuity plan with what is outlined (in the case of a bank) in the recommendations presented in the FFIEC handbook. This is an excellent way to assess needs and compliance with these and/or the guidelines available for other industries. Here too, CFEs can provide value by employing their skills in fraud risk assessment to assist the organization in its identification of the most relevant cyber risks.

After analyzing the business impact analysis and risk assessment, the organization should devise a strategy to mitigate the risks of business interruption from cyberfraud. This becomes the plan itself, a catalog of steps and checklists, which includes team members and their roles for recovery, to initiate action following a cyber penetration event. The plan should go beyond technical issues to also include processes such as identifying a lead team, creating lists of emergency contacts, developing calling trees, listing manual procedures, considering alternate locations, and outlining procedures for dealing with public relations.  As members of the team CFEs, can work with management throughout response plan creation and installation, consulting on plan creation, while advising management on areas to consider and ensuring that fraud related risks are transparently defined and addressed.

Testing is critical to confirm cyber fraud contingency plans. Testing objectives should start small, with methods such as walkthroughs, and increase to eventually encompass tabletop exercises and full enterprise wide testing. The plan should be reviewed and updated for any changes in personnel, policies, operations, and technology. CFEs can provide management with a fraud-aware review of the plan and how it operates, but their involvement should not replace management’s participation in testing the actual plan. If the staff who may have to execute the plan have never touched it, they are setting themselves up for failure.

Once the plan is created and tested, maintaining it becomes the most challenging activity and is vital to success in today’s ever-evolving universe of cyber threats. Therefore, concurrent updating of the plan in the face of new and emerging threats is critical.

In summary, cyberfraud-threat continuity planning is an ongoing process for all types of internet dependent organizations that must remain flexible as daily threats change and migrate. The plan is a “living” document. The IT departments of organizations are challenged with identifying and including the necessary elements unique to their processes and environment on a continuous basis. Equally important, client management must oversee update of the plan on a concurrent basis as the business grows and introduces new on-line dependent products and services. CFEs can assist by ensuring that their client organizations keep cyberfraud related continuity planning at the top of mind by conducting periodic reviews of the basic plan and by reporting on the effectiveness of its testing.

On Business Process Flow

During the last few years attention has increasingly turned to consideration of client critical business processes functioning as a unified whole as a focus of both risk assessment and fraud prevention efforts.  As result of this attention has come the accompanying realization that superior design of individual business processes is not only critical to the success of the overall organization but to its fraud prevention effort as well. For example, take bid preparation, a process that is usually conducted under time pressure, and requires cross-organizational coordination involving the finance, marketing and production departments. If this process is badly designed, it may slow down processing and lead to late submission of the bid or to an inadequately organized bid, reducing the chances of winning the tender, all outcomes that increase the risk of the emergence of irregularities and perhaps even to the enhanced facilitation of actual fraud. 

An additional realization has been that business processes require process based management.  As CFE’s, our client organizations are usually divided into functional units (e.g., finance, marketing). Many business processes, however, like the bid process, are cross-organizational, involving several functions within the organization.  A raw material purchasing process flows through the warehouse, logistics, purchasing and finance functions. Although each unit may function impeccably independently, the process may be impaired due to a lack of coordination among the units. To prevent the obvious fraud vulnerabilities related to this problem, the ACFE emphasizes the need to manage the business process fraud prevention effort end to end. This includes appointing a process owner; setting performance standards (e.g., time, quality, cost); and establishing (and risk assessing) the control, monitoring and measurement of all the processes at work. 

In the modern business world, change is constantly occurring; admirable as this fact is from an innovation perspective, anything that creates change, especially rapid change, can constitute opportunity for the ethically challenged.  Despite this and associated risks, to ensure its competitiveness, the organization must continuously improve and adapt its business processes. Automated processes based on information systems are usually more difficult and expensive to change than manual processes (of which there are fewer left every day). Modifications to traditional program code require time and human resources, resulting in delays and high costs. Hence, to maintain business agility, automating business processes requires a technology that supports rapid modifications and often, less management oversight and control and more vulnerability to fraud. 

Any business that is successful over the long term has most likely performed some kind of risk assessment, and had some success at managing business risks. Managers of successful entities have thought out what risks could have a significant negative impact on their ability to successfully execute the business plan, or even just cause a substantial loss of business, and have attempted to provided mitigating activities to address those risks. With the pervasiveness of fraud and, more important, their increasing dependence on cross organizational business processes, entities have had to consider a fraud risk assessment as a sizeable portion of any fraud prevention effort. Yet, many entities struggle with the issue or, if convinced of the need to conduct an assessment across business process flows, with where to begin in performing an effective one. 

The primary focus of a cross-organizational business process fraud risk assessment is to identify risks that the totality of such business processes present to the business, i.e., adverse effects related to these processes, whether taken as a whole or individually, are not in the best interests of the entity. These risks are usually associated with business elements such as the ability to deliver the service/product efficiently and effectively, the ability to comply with regulations or contractual obligations, the effectiveness of systems (especially accounting systems and financial reporting systems), and the effective management of the entity in general (to achieve goals and objectives, to successfully achieve the business model). Weak anti-fraud controls can introduce risks in any of these areas, and more. For instance, robust anti-fraud controls can enhance the entity’s ability to sell its products over the internet, or move costs (clerical functions) from within the entity (employees) to customers outside the entity (e.g., online banking and the need to ask questions about accounts).   The bottom line is that there is a need to have an effective identification and assessment of business process risks where the risks are at a degree that is more than trivial. 

Typically, fraud risk is assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. The greater that product, the more significant that risk is to the entity, and the more it needs to be mitigated. Therefore, for each cross-organizational process risk, someone is asking the questions: what is the magnitude of the identified fraud risk/failure (e.g., monetary loss)? What is the likelihood of it occurring (e.g., a percentage)? One thing the CFE can do is to obtain a copy of the client’s current risk assessment document. If management does not have one, or if it is in their head, then by default, assurance over fraud risk being properly mitigated is lowered. Another good start is to obtain the client’s business model; goals, objectives and strategies; and policies and procedures documents. A review of these documents will enable the CFE to understand where cross business process fraud risks could occur.   

Another thing the CFE should do is gain a good understanding of the loss prevention function (if there is one), including its managerial and operational aspects. Then, depending on the entity, there could be an extensive list of technologies or systems that will need to be evaluated for risk in operations. From the management side, it includes the internal audit and loss prevention staffs. A measure of the competency of staff devoted to the fraud prevention effort is a key factor. Obviously, the more competent the staff, the lower the risks associated with all the elements of operations they affect, and vice versa. 

Since traditional systems are transaction based and handle each transaction and business document separately, it’s difficult to audit processes end to end.  Therefore, in such systems proper audit trails should be designed and implemented to ensure that a chronological record of all events that have occurred is maintained.  A focus on entire business processes, by contrast, is process flow based and therefore audit trails are a built-in feature.  In automated systems featuring this type of inter-process flow, all incidents and steps of multi-business processes are documented and linked to each other in the order they occurred.  

From the access control aspect of operations, an assessment should be made as to risk of unauthorized activities. For example, do access controls sufficiently limit access to systems and supported business process flows by effective authorization and authentication controls? Does the information management test new systems and applications thoroughly before deployment? Is there a sufficient staging area so that business process flow support applications can be tested not only on a stand-alone basis but also when interfaced with other applications and whole systems? If applications are not tested, this would lead the CFE to have less assurance about mitigating fraud risks facilitated by bugs and system failures.

The focus of fraud mitigation has moved, with increasing automation, away from the simple single fraud scenario to the entire flow of the interlocking business processes constituting the modern organization and their analytic footprint. 

Talking Through the Hindrances

That control self-assessment (CSA) can be used as an effective facilitation tool to develop fraud risk assessments is, I’m sure, of no surprise to many of the readers of this blog.  But, for those of you who are not so aware … typically, a control self-assessment session to identify fraud risk is a facilitated meeting of managerial and operational staff (the business process experts) coming together to openly discuss fraud risk prevention objectives related to identified risk factors associated with one or more of a company’s business processes.

Fraud prevention objectives for the business process are identified, as well as obstacles impeding the success of those objectives.  Finally, the team suggests, for upper management consideration, ways to overcome identified obstacles and a proposed corrective action plan is prepared.  At the start of the self-assessment session, the participants adopt a Team Operating Agreement to ensure that an open and honest discussion takes place in a threat free environment.  It takes a consensus of the participants to approve the operating agreement which all the participants in the session sign; no management decisions regarding actions to be taken are made during the session.

After the Operating Team Agreement is in place, team members typically develop and approve what they perceive to be a list of fraud prevention objectives for the target business process under discussion.  Once the anti-fraud objectives are defined, the participants enter a discussion (and develop a list) of what they feel to be the existing overall fraud prevention strengths of the subject process.  Next, the team discusses and develops a list of the hindrances currently preventing the process from achieving its anti-fraud related objectives.  Finally, the team develops recommendations for overcoming the identified hindrances.  Sometimes the team ranks its fraud reduction recommendations by order of importance but this step is not critical.

A CSA for fraud prevention is akin to a risk assessment brainstorming session.  For example, the scope of such a session regarding a financial reporting related business process might be tailored to the risks of financial statement fraud and misstatement as well as to the issue of management override of controls over financial statement reporting.  The objective of the CSA is for the team to identify and discuss fraud risks, fraud scenarios and mitigating controls followed by the preparation of a set of recommendations for referral to management.

For each risk factor identified the CSA team should:

–try to identify what would cause a fraud to occur, or detail the risk factor itself;
–determine the specific fraud risk;
–determine potential fraud schemes or scenarios associated with the risk;
–identify affected financial accounts;
–identify staff positions that could potentially be involved;
–try to assess the type, likelihood, significance and inherent risk involved;
–formulate the controls that could mitigate the risk;
–classify the controls by type (i.e., preventative, detective, entity, and process level);
–identify and assess residual risk.

Certified fraud examiners (CFE’s) have an active role to play in tailoring the CSA format for use in risk identification and mitigation as well as in performing actual facilitation of the CSA sessions.   Specifically, CFE’s can help client staff develop a more detailed, in-depth understanding of complex fraud risks that management and operational staff sometimes only vaguely perceive.  Armed with the knowledge developed during the CAE session(s) and coupled with their risk assessment and group facilitation skills, CFE’s can assist management and the audit committee of the client to identify, assess, and develop final fraud risk mitigation strategies to strengthen the fraud prevention program of the organization as a whole.  Following what are sometimes multiple CAE sessions, CFE’s can assist the team in detailing the menu of anti-fraud measures developed during the individual sessions in a report to client management embodying the anti-fraud recommendations of the CAE session members to the Executive Management Team and to the audit committee for their consideration.  It’s up to top management to decide which of the CSA team’s anti-fraud recommendations to implement and which of the team’s identified risks to accept.

Just a few of the advantages of conducting fraud prevention related CAE’s for critical client business processes include:

–building fraud risk awareness among those middle level managers charged with day-to- day management of our client companies business processes;
–mapping organization wide fraud prevention efforts to specific business processes;
–establishing links between information technology (IT) systems development projects and the broader fraud prevention program;
–identifying, documenting and integrating fraud prevention skill sets across all the business processes of the organization;
–support for the construction of a strong, management supported fraud prevention program that enjoys full management and board support company wide.

Finally, consider the advantages that the self assessment process brings to the ethical dimension of the utilizing enterprise.  The values that a corporation’s managers and directors wish to instill in order to motivate the beliefs and actions of its personnel need to be conveyed to provide the required guidance.  Usually such guidance takes the form of a code of conduct that states the values selected, the principles that flow from those values, and any rules that are to be followed to ensure that the appropriate values are respected.

The code of conduct itself is a worthy subject for a series of separate control self assessment sessions composed of representative levels of company staff such as the management team, lower level management and the operating staff.  The results of these sessions can be analyzed and a final comprehensive report produced documenting the comments (and even suggested revisions) that CSA participants have made regarding the code during their respective sessions.  This exercise is, thus,  an excellent vehicle to build “ownership of the code” among the staff comprising all levels of the enterprise.

Inside and Out

I had quite a good time a little over a month ago, addressing a senior auditing class at the University of Richmond on the topic of how fraud examiners and forensic accountants can work jointly together, primarily with a client’s internal auditors and, secondarily with its external auditors, to substantially strengthen any fraud investigation assignment.

Internal and external auditors each play an important role in the governance structure of their client organizations. Like CFEs, both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, as I told the very lively class, both types of auditors operate independently of the activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks faced by the organizations they serve. Yet, with all their similarities, internal auditing and external auditing are two distinct functions that have numerous differences. The Institute of Internal Auditors (IAA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Internal auditors in the public sector (where I spent most of my audit career as a CIA) place an additional emphasis on providing assurance on performance and compliance with policies and procedures. Concerned with all aspects of the organization – both financial and non-financial – the internal auditors focus on future events because of their continuous review and evaluation of controls and processes.

In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period are represented accurately, and whether the financial statements have been affected materially (i.e., whether they include a misstatement that is likely to influence the economic decisions of financial statement users). External auditing’s approach is mainly historical in nature, although some forward-looking improvements may be suggested in the auditors’ recommendations to management based on the analysis of controls during a financial statement audit.

I emphasized to the students that these definitions alone pinpoint the key distinctions that separate the two audit approaches. However, internal auditing is much broader and more encompassing than external auditing. Its value resides in the function’s ability to look at the underlying operations that drive the financial numbers before those numbers hit the books. For instance, when considering “sales” as a line item in a set of financial statements, the external audit focuses primarily on the existence, completeness, accuracy, classification, timing, posting and summarization of sales numbers. The internal audit goes beyond these assertions and looks at sales operations in a much broader context by asking questions regarding the target market, sales plan, organizational structure of the sales department, qualifications of sales personnel, effectiveness of sales operations, measurement of sales performance, and compliance with sales policies.

These types of questions probe the very core of sales operations and can greatly impact the sales numbers recorded in financial statements. For example, assuming a sales number of $6 million, the external auditor has merely to render an opinion regarding the validity of that number. The internal auditor, however, can ask whether the number could  have really been $12 million, if only the right market had been targeted, and if operations had been effective in the first place. It’s this emersion in detail and the overall knowledge of operations that makes the internal auditor such a strong partner for the fraud examiner in any joint investigation.

Internal auditors represent an integral part of the organization – their primary clients are management and the board. Although historically internal auditors reported to the chief financial officer or other senior management staff, for the last two decades internal auditing has reported directly to the audit committee of the board of directors, which helps strengthen auditor independence and objectivity. Today, internal audit functions, for the most part, follow this reporting relationship, which is consistent with the IIA’s Standard on Organizational Independence.

The chief audit executive’s (CAE’s) appointment is normally meant to be permanent, unless he or she resigns or is dismissed. In some quasi and intergovernmental organizations, CAEs are given tenured positions – five-year appointments, for example – to enhance independence.  Conversely, external auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by their main client, the board of directors. External auditors are appointed by the board, and they submit an annual report to the company’s shareholders. The appointment is meant to extend for a specified time – external auditors can be re-appointed at the company’s annual general meeting. In some jurisdictions, there are limits on an external auditor’s length of service, often five or seven years.

In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations’ discretion but internal auditing is mandatory in some cases. Companies listed on the New York Stock Exchange must have an internal audit function, whether in-house or outsourced.  An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature.

The necessary qualifications for an internal auditor rest solely on the judgment of the employer. Although internal auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them abundantly qualified to perform internal auditing. Annually, more and more internal auditors hold the IIA’s Certified Internal Auditor designation, which demonstrates competency and professionalism in the field of internal auditing. Because of their continuous investigation into all the organization’s operating systems, internal auditors who remain in the same organization for many years constitute a unique resource to the CFE of comprehensive and current knowledge of the organization and its operations.

External auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law – for example, the Institute of Chartered Accountants in England and Wales, American Institute of Certified Public Accountants, or Canadian Institute of Chartered Accountants.  Because external auditors’ scope of work is narrowly focused on financial statement auditing, and they come into the organization only once or twice a year, their knowledge of the organization’s operations is unlikely to be as extensive as that of the internal auditors.

Those entering the CFE profession need to realize that patterns of business growth, globalization, and corporate scandals have changed the thrust of the internal audit profession in recent years. In its early years, internal auditing focused on protection oriented objectives and emphasized compliance with accounting and operational procedures, verification of calculation accuracy, fraud detection and protection of assets. Gradually, new dimensions were added that ranged from an evaluation of financial and compliance risks to an assessment of business risks, ethics and corporate governance. These changes have only increased the gap between the disciplines of internal and external auditing. Yet, despite their differences, internal auditing and external auditing no longer work in competition, as was the case before the U.S. Sarbanes-Oxley Act was enacted, when a company’s external auditors would sometimes compete with in-house audit departments for internal audit work. Regulations like Sarbanes-Oxley prohibited the external auditor from providing both external and internal audit services to the same company. Today all CFEs can benefit from the complementary skills, areas of expertise, and perspectives of both the external and the internal auditors.  The ACFE recommends that to strengthen the fraud prevention program they should meet periodically to discuss common interests (like the fraud prevention program), strive to understand each other’s scope of work and methods, discuss audit coverage and scheduling to minimize redundancies, jointly assess areas of fraud risk, and provide access to each other’s reports, programs, and work papers.

In summary, fulfilling its oversight responsibilities for assurance, the board also should require internal and external auditors to coordinate their audit work to increase the economy, efficiency, and effectiveness of the overall audit process. Despite some similarities, a world of difference exists between internal auditing and external auditing. Nonetheless, both audit types, and the respective services they provide, are essential to maintaining an effective governance structure. With a greater understanding of the unique perspective of each, CFEs can maximize the aggregate contribution or each to our joint investigations and thereby ensure organizational success.

Exploiting the Dual

businessmeet1Many of today’s CFE’s hold dual certifications as CPA’s, CIA’s, CISA’s and a host of others.  This proven enhanced expertise endows the employers of fraud examiners engaged as full time corporate auditing staff with a whole host of new and exciting fraud detection and prevention capabilities.  This is especially true of corporations whose operations are daily fraud targets.  Rather than dealing with the infrequent single instance of fraud, as is most often the case in conventional CFE practice, these staff practitioners endow their employers with enhanced power in the task of devising investigative and preventative approaches to cope with random, most often automated, fraud attempts arriving on a recurring basis, twenty-four hours a day, 365 days a year.

One of the most effective innovations that dually certified CFE’s can bring to bear in such dynamic fraud environments involves some version of a mixture of continuous monitoring, continuous fraud auditing and continuous assurance. As the external and internal auditing professions view the first of these general concepts, continuous monitoring constitutes a feedback mechanism, primarily used by management, to ensure that systems operate and transactions are processed as prescribed. For example, as one of hundreds of possible examples, management might mandate that its staff CFE (s) periodically monitor the key fraud prevention controls that ensure that customer orders are checked against credit limits to ensure that the controls remain in place and aren’t deactivated.

Continuous auditing for fraud has been defined as the collection of evidence concerning fraud scenarios, by one or more examiners, on systems and transactions, on a continuous basis throughout a temporal period. For example, the staff examiners could routinely extract details of any unusually large adjusting journal entry for investigation, validate the reasons for the entry, determine whether it had been approved, and document these findings. The historical case file of irregularities will be built up from this and like evidence and from its related investigation, as will the examiner’s knowledge of the landscape of on-going fraud threats confronting the business.

Continuous fraud control assurance can even provide a concurrent or on demand assurance opinion on systems or transactions. A continuous opinion could represent an examiner’s or auditor’s opinion that overall fraud prevention controls are operating satisfactorily, unless a report is given to the contrary (often referred to as an ‘evergreen’ fraud control report). On-demand assessment concerning the functioning of key anti-fraud controls can be called for at any time to provide a spot evaluation at a point that does not necessarily coincide with a fiscal year or month-end. For example, a potential investor or lender might want to know the state of a company’s fraud prevention controls on the day that he/she makes a final investing or lending decision. Although these types of control assessments are still relatively rare, it’s possible that, given the pervasiveness of fraud in some heavily automated financial industries, the demand for this type of assessment may accelerate in the future.

Each of these three elements are built upon (and depend on) the one that precedes it. A continuous process of fraud assessment needs continuous monitoring systems to be in place to be effective. These monitoring systems provide the evidence to be collected and assessed upon which to build management assurance.

One of the biggest benefits of a program of continuous fraud control assessment is the beneficial effect it can have on an employing organization’s overall fraud control program. It’s obvious that, with continuous assessment, any key fraud control failures are detected and fixed as soon as they occur, bringing the effectiveness of the failed controls again more closely into conjunction with management’s expectations.  An additional plus for the continuous fraud control evaluation approach is that it provides early warning of problems; employing management can be apprised of a control failure as soon as it happens, providing maximum rectification time. Early warning reduces rectification downtime for the control. The objective is for the external auditors, when they later perform their checks, to find that the control weakness identified by the staff fraud examiner is now corrected and the corrected control operative as of the sign-off date, thus avoiding audit points.  One more advantage conferred by the presence of a dually certified fraud examiner on the audit staff is that many of the controls critical to the anti-fraud program can be fully automated under the CFE’s supervision and thus lend themselves to a continuous review approach. This proactive ‘no surprises’ approach to fraud control should be attractive to all organizations considering employing those holding the CFE certification as either staff auditors or security professionals.

What does it take for management to get this fraud prevention approach off the ground?  First, hire more dually certified CFE’s.  Next, automation is key to the program’s success, especially emphasizing data mining and analytics. Technology that can speed up communication is also needed, because there is no value in identifying an issue quickly if it is not communicated equally quickly to those who need to know about it. Continuous auditing for fraud includes continuous monitoring and reporting by exception on problems that arise. Therefore, the control environment of the employing organization must be at least good enough to ensure that the number of exceptions detected is not initially overwhelming. If anti-fraud controls are at a semi-mature level of effectiveness, however, there is really no reason why, with effort, a continuous assurance approach can’t work.

In setting up continuous audit tests, CFE’s must understand what can go wrong and know what they are looking for, in advance; this is a point where dual certification as an experience CPA or CIA is a plus in guiding the testing process and for creating the business rules for detecting exceptions and understanding them. This latter point is no trivial matter since something that could seem an exception under one set of circumstances, can be perfectly normal under a different set and trained financial assurance professionals know the difference.

Creatively employing their dually certified CFEs in an enhanced fraud detection and prevention effort based on the continuous audit approach confers several benefits to any management while enhancing the fraud prevention program:

–Creation of a database of the most frequently occurring fraud scenarios coupled with the most effective audit approaches to investigate and resolve them;

–Development of tailored data analytics and investigative tools for common fraud scenarios; auditors can get the fraud related data they need when they want them;

— Faster and more thorough fraud examinations and greater depth of audit for the same cost;

— Investigation and resolution of fraud related issues as they occur is a proven proactive approach demonstrating an enhanced level of management due diligence;

— The entire audit staff can have more alternatives in the way they perform fraud related work, including reliance on preventive controls like front end systems edits which prevent fraud be screening out transactions likely to contain fraud on the system’s front end.

–Because fraud related auditing is more effective it becomes more visible for those being audited both within and without the enterprise. Senior management has first-hand knowledge that auditors are ‘on the case’ even if they do not see them every day of the week. This visibility can also act as an additional deterrent to frauds, both internal and external.