Category Archives: Fraud Management

On Motivation

The ACFE tells us that there is no simple profile for employees who commit fraud. However, some ACFE statistics are available. Its research has repeatedly shown that about 10 percent to 15 percent of employees are fundamentally dishonest and are likely to steal from their company if given the opportunity. About 66 percent of employees are likely to steal under the right circumstances, such as when under pressure, or when “everyone is doing it,” and the opportunity exists. In contrast, about 20 percent to 25 percent of employees are fundamentally honest and are unlikely to steal under any circumstances.

Furthermore, those employees who do steal from the company are unlikely to have a prior criminal record, and those with a good education, family, background, and work record can be just as likely to steal as anyone else.

On the other hand, research shows that the three elements of the standard fraud triangle, with which we’re all familiar, have proven themselves descriptive over many the years in explaining which employees may defraud our client companies.

• Pressure – Usually related to financial pressure such as large medical bills, gambling problems, drug habits, and extravagant living.

• Opportunity – Required to commit any fraud.

• Rationalization – Likely depends on the type of criminal and the criminal’s personality type or possible personality disorder.

The rationalization component of the fraud triangle suggests possible types of individuals who may commit fraud:

• The fundamentally dishonest employee without a personality disorder. This person could habitually be dishonest but does not have a personality disorder. Rationalization comes easily because the person is accustomed to dishonesty. Therefore, the rationalizations are likely to include statements such as “I need it more than they do” and “They won’t miss it.”

• The fundamentally dishonest employee with a personality disorder. Various personality disorders may contribute to the ability of the employee to rationalize fraud. Psychiatry uses the diagnosis antisocial personality disorder and the related diagnosis dissocial personality disorder. The following are characteristics that apply to persons with these types of mental disorders:

— Nonconformist behavior; tend to be misfits.
— Habitual lying and dishonesty.
— Impulsiveness.
— Irritability and aggressiveness.
— Insensitivity to harming self or others.
— Strong disregard for the needs of self and others.
— Tendency to blame others for personal faults and mistakes.
— Lack of responsibility.
— Difficulty in establishing and maintaining close relationships.
— Absence of the ability to feel emotions or the full range of normal emotions.

The deceitfulness dimension of these disorders could enable the person to hide some or all of his or her antisocial characteristics. This type of person is often able to steal without giving much conscious thought to rationalizations. The crime could simply arise out of the mental disturbance.

• Then there is the normally honest employee who steals given pressure and opportunity and rationalizes the theft. A person who does not normally steal is likely to give serious thought to rationalizing the theft. One common rationalization is that the person is only borrowing the money; often the person takes money with the intent to pay it back, and many times does in fact pay it back. The result is that the corporate till can become the employee’s personal lending institution; however, in many cases, the person is never able to pay back the ill-gotten loan. The normally honest employee is likely to steal out of a sudden financial need or because of a problem with a financially excessive lifestyle.

The ACFE advises us to consider possible motives when examining evidence related to an occupational fraud. Motive is the power that prompts a person to act. Motive, however, should not be confused with intent, which refers to the state of mind of the accused when performing the act. Motive, unlike intent, is not an essential element of crime, and criminal law generally treats a person’s motive as irrelevant in determining guilt or innocence. Even so, motive is relevant for other purposes: it can help identify the perpetrator; it will often guide the examiner to the proper rationalization; it further incriminates the accused; and it can be helpful in ensuring successful prosecution.

The examiner should search relevant documents to determine a possible motive. For example, if a fraud examiner has evidence in the form of a paycheck written to a ghost employee, s/he might suspect a payroll employee who recently complained about not having received a raise in the past two years. Although such information does not mean that the payroll employee committed fraud, the possible motive can guide the examiner.

During the process of interviewing suspects, interviewers should seek to understand the possible motives of interviewees. To do this, interviewers should suspend their own value system. This will better position the interviewer(s) to persuade suspects to reveal information providing insight into what might have pressured or motivated them and how they might have rationalized their actions.

In an interview situation, the examiner should not suggest reasons for the crime. Instead, the examiner should let the individual share his or her motivations, even if the suspect reveals those motivations in an indirect manner.

In interviewing suspects for motives:

• Leave your ego at the door.
• Talk to the suspected perpetrator as an adult.
• Do not patronize the suspect.
• Use good communication skills to develop rapport with subjects so that they will feel comfortable talking to you.
• Avoid being confrontational with the suspect. If the interviewer is confrontational, the perpetrator will be less likely to make an admission.

When conducting an interview with a suspect, the interviewer should begin by asking questions about the standard procedures and the actual practice of the operations at issue. This is necessary to gain an understanding of the way the relevant process is intended to work and how it actually works. Additionally, asking such basic questions early in the interview will help the interviewer observe the interviewee’s “normal” behavior so that the interviewer can notice any changes in the subject’s mannerisms and word choice.

Next, the interviewer might ask non-accusatory questions related to the issue at hand, such as:

• Why do you think someone would do something like this?
• What do you think should happen to a person who would do something like this?
• Of all of the people who work in this area, who could be involved?

The answers to these questions can help the interviewer understand the possible motives of various suspects, narrow the pool of suspects, or even obtain an admission. For example, a suspect who answers the question “Why do you think someone would do something like this?” with a sympathetic answer might be trying to appeal to the interviewer’s sense of compassion to reduce or minimize his or her punishment.

The more the interviewer knows about the perpetrator, the better chance s/he will have of identifying the perpetrator’s motive and rationalization. Once the perpetrator thinks that the interviewer understands her motive, she will become more likely to confess.

During the motivation identifying interview, fraud examiners must also remember that there are times when rational people behave irrationally. This is important in the interview process because it will help humanize the misconduct. Unless the perpetrator has a mental or emotional disorder, it is acceptable to expect that the perpetrator committed the fraud for a reason.

Situational fraudsters, those who rationalize their right to an illegal enrichment and perpetrate fraud when the opportunity arises, do not tend to view themselves as criminals. This is in contrast to deviant fraudsters, who are more proactive than situational fraudsters and who are always on the alert for opportunities to commit fraud. Situational fraudsters rationalize their crimes. Situational fraudsters feel that they need to commit fraud to regain control over their lives. Thus, an interviewer will be more likely to obtain a confession from a situational fraudster if s/he can genuinely communicate that s/he understands how anyone under similar-circumstances might commit such a crime. Genuineness, however, is key. If the fraudster in any way detects that the interviewer is constructing a trap, s/he generally will not make an admission of wrongdoing.

In summary, the fraud triangle is always helpful in explaining motivations for employees to defraud their employing organization by drawing attention to pressure, opportunity, and rationalization. Pressure is typically caused by sudden financial needs arising from things such as medical bills, gambling problems, drug habits, and extravagant living. The opportunity depends on the employee’s position and the strength of the company’s internal control processes. Rationalization depends on the type of criminal. The pure sociopath may need little or no rationalization. The fundamentally dishonest employee may give some conscious thought to rationalizing crimes, but the rationalization comes easily because the person is accustomed to dishonesty. Finally, the normally honest employee generally expends the most effort in rationalizing the crime, and often this type of person will really think that s/he is only borrowing the money.

When You Assume

by Rumbi Petrozzello
2018 Vice President – Central Virginia ACFE Chapter

On November 8, 2007, in the small town of Constantine, Michigan, 11-year-old Jodi Parrack was reported missing. Residents from the surrounding region volunteered to search for the missing girl, including Ray McCann, a police reservist. During the search, Ray suggested to Jodi’s mother, Valerie, that they should search for Jodi in the local cemetery. Valerie and Ray did so and, tragically, found her daughter there; she had been murdered.

Almost immediately, Ray came under suspicion. His reaction to Jodi’s death appeared to some of the investigators to be suspicious and why had he suggested that he and Valerie go to the cemetery, of all places, to look for Jodi? Then, during their subsequent investigation, the police found Jodi’s DNA on Ray’s body; according to Ray this was because he had pulled Valerie away from Jodi when he and her mother discovered the child’s body.

For years, Ray was under suspicion. He was brought in for questioning by the police on multiple occasions, and his answers, as far as the police were concerned, were not particularly convincing. He claimed to have been in one place and the police said that there was proof that he was not there. Seven years after Jodi’s murder, Ray was arrested and charged with perjury, related to the answers he had originally given the police; this seems to have been a tactic the police employed to hold him while they continued to try to gather enough evidence to charge him with Jodi’s murder.

While Ray was being held and facing from two to twenty years behind bars, another girl was attacked; she fought back, escaped and led the police to another man, Daniel Furlong. It turned out that Furlong’s DNA had been found on Jodi’s body during the original investigation as well as Ray’s and yet, the police had persisted in focusing solely on Ray. It was also revealed that the authorities were not honest when they told Ray that they possessed evidence Ray was lying. All the police really had was a deeply held conviction that Ray was being deceptive, leading to their determination to somehow develop evidence to validate that feeling.

By the time Ray was released after spending 20 wasted months of his life behind bars, he had lost his job, his family and the trust of the community in which he lived and which he had hoped someday to serve.

As Fraud Examiners and/or Forensic Accountants, we are engaged to investigate alleged wrongdoing and to follow up on leads as we work to resolve often confusing and contradictory matters. As we seek evidence, interview people and try to figure out what happened and who did what, it can be all too easy to make the mistake of viewing a red flag as somehow constituting proof. If someone giggles when they’re telling you they know nothing; if a person taps her foot throughout an interview, or if someone is extremely helpful, none of those things in themselves means anything definitive in resolving the question as to whether or not they have done anything wrong, let alone illegal.

Professional skepticism is a CFE’s tendency not to believe or take anyone’s assertions at face value, a mental tendency to ask every assertion to “prove it” (with evidence). The inevitable occurrence of confusion, errors and deception in all situations involving actual or suspected fraud dictates this basic aspect of professional skepticism. Persuading a skeptical CFE or forensic accountant is not impossible, just somewhat more difficult than persuading a normal person in an everyday context. Our skepticism protects the Ray McCann’s of this world because it’s a manifestation of objectivity, holding no special concern for preconceived conclusions on any side of an issue. Skepticism is not an attitude of being cynical, hypercritical, or scornful. The properly skeptical investigator asks these questions (1) What do I need to know? (2) How well do I know it? (3) Does it make sense?

Professional skepticism should lead investigators to appropriate inquiry about every clue involving seeming wrong doing. Clues should lead to thinking about the evidence needed, wringing out all the implications from the evidence, then arriving at the most suitable and supportable explanation. Time pressure to complete an investigation is no excuse for failing to exercise professional skepticism and bias and prejudice are always unacceptable. Too many investigators (including auditors) have gotten themselves into trouble by accepting some respondent’s glib assertion and stopping too early in an investigation without seeking facts supportive of alternative explanations.

A red flag means only that further investigation is warranted; it definitely does not mean that the examiner should shut down all other avenues of investigation and it certainly does not mean that an attempt should ever be made to make the crime fit the person. In the sad case of Ray McCann, the police continued to pursue him to the exclusion of all others even though they had found someone else’s DNA on Jodi’s body. They never appeared to be even looking for any other suspect. Even when Daniel Furlong subsequently confessed to murdering Jodi, the local authorities still persisted in implying that Ray was somehow connected to the crime; in the face of all contradictory evidence, the police still stubbornly refused to let go of their original hypothesis.

As we pursue our work as forensic accountants and fraud examiners, we should be constantly reviewing our hypotheses and assessing our approaches.

• Are we trying to make evidence fit the facts as we initially suppose them to be?
• Are we ignoring evidence because it does not fit the story we’re trying to tell?
• Are we letting a particular person’s behavior cloud a more objective judgment of the totality of what’s going on?

Often, even after a person has been cleared of suspicion in a case, we hear parties involved in the investigation make statements along the lines of, “I just know they are good for something.” Fortunately, our practice is not founded on feelings and gut instincts; our practice, and profession, is one that relies on evidence. As you’re investigating a matter, keep in mind:

• Following your defined process and procedure throughout is paramount to investigative success. Even if someone or some aspect of a case looks totally transparent within the context of the investigation, be thorough and follow your evidence all the way through.

• If your findings do not support your original premise, don’t try to force things. Step back and ask yourself why this is the case. Ask yourself if you need to reconsider your foundational hypothesis.

• Beware of confirmation bias – that is be careful that you are not looking only for data that reinforces the conclusion(s) that you have already reached (and, in so doing, ignoring anything that might prove contradictory).

• Even if your team is determined to work the assignment in a particular direction, make sure you speak up and let them know about any reservations you might have. You may not have the popular position, but you may end up expressing the critical position if it turns out that there is other evidence in light of which the conclusions the team has made need to be adjusted.

In summary, when you feel it in your gut and you are absolutely sure that you are right about a hypothesis, it’s very difficult to look beyond your conviction and to see or even consider other options. It’s vital that you do so since, as the ACFE has pointed out so many times, there is a hefty price to be paid professionally for ignoring evidence which eventually proves to be critical simply because it appears not to corroborate your case. Due professional care requires a disposition to question all material assertions made by all respondents involved in the case whether oral or written. This attitude must be balanced with an open mind about the integrity of all concerned. We CFEs should neither blindly assume that everyone is dishonest nor thoughtlessly assume that those involved in our investigations are not ethically challenged. The key lies in the examiner’s attitude toward gathering the evidence necessary to reach reasonable and supportable investigative decisions.

The Client Requested Recommendation

We fraud examiners must be very circumspect about drawing conclusions. But who among us has not found him or herself in a discussion with a corporate counsel who wants a recommendation from us about how best to prevent the occurrence of a fraud in the future?  In most situations, the conclusions from a well conducted examination should be self-evident and should not need to be pointed out in the report. If the conclusions are not obvious, the report might need to be clarified. Our job as fraud examiners is to obtain sufficient relevant and reliable evidence to determine the facts with a reasonable degree of forensic certainty. Assuming facts without obtaining sufficient relevant and reliable evidence is generally inappropriate.

Opinions regarding technical matters, however, are permitted if the fraud examiner is qualified as an expert in the matter being considered (many fraud examiners are certified not only as CFE’s but also as CPA’s, CIA’s or CISA’s).  For example, a permissible expert opinion, and accompanying client requested recommendation, might address the relative adequacy of an entity’s internal controls. Another opinion (and accompanying follow-on recommendation) might discuss whether financial transactions conform to generally accepted accounting principles. So, recommended remedial measures to prevent future occurrences of similar frauds are also essentially opinions, but are acceptable in fraud examination reports.

Given that examiners should always be cautious in complying with client examination related requests for recommendations regarding future fraud prevention, there is no question that such well-considered recommendations can greatly strengthen any client’s fraud prevention program.  But requested recommendations can also become a point of contention with management, as they may suggest additional procedures for staff or offend members of management if not presented sensitively and correctly. Therefore, examiners should take care to consider ways of follow-on communication with the various effected stakeholders as to how their recommendations will help fix gaps in fraud prevention and mitigate fraud risks.  Management and the stakeholders themselves will have to evaluate whether the CFE’s recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).

Broadly, an examination recommendation (where included in the final report or not) is either a suggestion to fix an unacceptable scenario or a suggestion for improvement regarding a business process.  At management’s request, fraud examination reports can provide recommendations to fix unacceptable fraud vulnerabilities because they are easy to identify and are less likely to be disputed by the business process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it ideally could be. The value of the fraud examiner’s solicited recommendation can lie not only in providing solutions to existing vulnerability issues but in instigating thought-provoking discussions.  Recommendations also can include suggestions that can move the process, or the department being examined to the next level of anti-fraud efficiency.  When recommendations aimed at future prevention improvements are included, examination reports can become an additional tool in shaping the strategic fraud prevention direction of the client being examined.

An examiner can shape requested recommendations for fraud prevention improvement using sources both inside and outside the client organization. Internal sources of recommendations require a tactful approach as process owners may not be inclined to share unbiased opinions with a contracted CFE, but here, corporate counsel can often smooth the way with a well-timed request for cooperation. External sources include research libraries maintained by the ACFE, AICPA and other professional organizations.

It’s a good practice, if you expect to receive a request for improvement recommendations from management, to jot down fraud prevention recommendation ideas as soon as they come to mind, even though they may or may not find a place in the final report. Even if examination testing does not result in a specific finding, the CFE may still recommend improvements to the general fraud prevention process.

If requested, the examiner should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete understanding. Client requested recommendations should be written simply and should:

–Address the root cause if a control deficiency is the basis of the fraud vulnerability;
–Address the business process rather than a specific person;
–Include bullets or numbering if describing a process fraud vulnerability that has several steps;
–Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to implement;
–Position the most important observation or fraud risk first and the rest in descending order of risk;
–Indicate a suggested priority of implementation based on the risk and the ease of implementation;
–Explain how the recommendation will mitigate the fraud risk or vulnerability in question;
–List any recommendations separately that do not link directly to an examination finding but seek to improve anti-fraud processes, policies, or systems.

The ACFE warns that recommendations, even if originally requested by client management, will go nowhere if they turn out to be unvalued by that management. Therefore, the process of obtaining management feedback on proposed anti-fraud recommendations is critical to make them practical. Ultimately, process owners may agree with a recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it.  They also may choose to revisit the recommendation at a future date as the risk is not imminent or disagree with the recommendation because of varying perceptions of risk or mitigating controls.

It’s my experience that management in the public sector can be averse to recommendations because of public exposure of their reports. Therefore, CFEs should clearly state in their reports if their recommendations do not correspond to any examination findings but are simply suggested improvements. More proposed fraud prevention recommendations do not necessarily mean there are more faults with the process, and this should be communicated clearly to the process owners.

Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if the response tends to dilute the examiner’s objectivity and independence and becomes representative of management’s opinions and concerns. It is the examiner’s prerogative to provide recommendations that the client has requested, regardless of whether management agrees with them. Persuasive and open-minded discussions with the appropriate levels of client management are important to achieving agreeable and implementable requested fraud prevention recommendations.

The journey from a client request for a fraud prevention recommendation to a final recommendation (whether included in the examination report or not) is complex and can be influenced by every stakeholder and constraint in the examination process, be it the overall posture of the organization toward change in general, its philosophy regarding fraud prevention, the scope of the individual fraud examination itself, views  of the effected business process owner, experience and exposure of the examination staff, or available technology. However, CFEs understand that every thought may add value to the client’s fraud prevention program and deserves consideration by the examination team. The questions at the end of every examination should be, did this examination align with the organization’s anti-fraud strategy and direction? How does our examination compare with the quality of practice as seen elsewhere? And finally, to what degree have the fraud prevention recommendations we were asked to make added value?

Tailoring Difficult Conversations

We CFE’s and forensic accountants, like other investigative professionals, are often called upon to be the bearers of bad news; it just goes with the territory.  CFE’s and forensic accountants are somewhat unique, however, in that, since fraud is ubiquitous, we’re called upon to communicate negative messages to such a diverse range of client types; today the chairman of an audit committee, tomorrow a corporate counsel, the day after that an estranged wife whose spouse has run off after looting the family business.

If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a professional relationship. And, what’s more,  it often proves a thankless task. This was recognized in a Greek proverb almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”

Physicians, who are sometimes required to deliver worse news than most CFE’s ever will, often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families They know that the message itself, may be devastating but how they deliver it can help the patient and his or her family begin to process even the most painful facts.   CFE’s are in the fortunate position of typically not having to deliver news that is quite so shattering.  Nevertheless, there is no question that certain investigative results can be extremely difficult to convey and to receive.  The ACFE tells us that learning how to prepare for and deliver such messages can create not only a a better investigator but facilitate a better investigative outcome.

Preparation to deliver difficult investigative results should begin well in advance, even before there is such a result to deliver. If the first time an investigator has a genuine interaction with the client is to confirm the existence of a fraud, that fact in itself constitutes a problem.  On the other hand, if the investigator has invested time in building a relationship before that difficult meeting takes place, the intent and motivations of both parties to the interaction are much better mutually understood. Continuous communication via weekly updates to clients from the moment irregularities are noted by examination is vital.

However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with any resultant fallout.  In such cases, the ACFE recommends focusing on investigative process as well as on content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and for anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so  the message is correct and complete.

Self-preparation involves considering the type of person who is receiving the difficult message and in determining the best approach for communicating it. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Put as much effort as possible into getting to know your client since personality tends to drive how he or she wants to receive information, interact with others, and, in turn, values things and people. When there is critical investigative information that has to be understood and accepted, seasoned examiners consider delivery tailored specifically to the client to be paramount.

Once the ground work has been laid, it’s time to have the discussion. It’s important, regarding the identified fraud, to remember to …

–Seek opportunities to balance the discussion by recognizing the client’s processes that are working well as well as those that have apparently failed;

–Offer to help or ask how you can help to address the specific issues raised in the discussion;

–Make it clear that you understand the client’s challenges. Be precise and factual in describing the causes of the identified irregularity;

–Maintain open body language. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward as this appears extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, if the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm  the situation are not successful, you might suggest a follow-up meeting after both of you have digested what was said and to consider mutually acceptable options to move forward.

–Present the bottom-line message three times in different ways so your listener has time to absorb it.

–Let the client vent if he or she wishes. The ACFE warns against a tendency to interrupt the client’s remarks of explanation or sometimes of denial; “we don’t hire people who would do something like that!” Allowing the client time to vent frees him or her to get down to business moving afterward.

–Focus on problems with the process as well as on the actions of the suspect(s) to build context for the fraud scenario.

–Always demonstrate empathy. Take time to think about what’s going through your hearer’s mind and help him or her think through the alleged scenario and how it occurred, what’s going to happen next with the investigation, and how the range of issues raised by the investigation might be resolved.

Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results. Emotional intelligence, understanding how to read people and relate to them, is vital in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the other so-called soft skills. Yet they can be critical to the successful practice of fraud examination. Examiners rarely  get in trouble over their technical skills because such skills are generally easier for them to master.  Examiners tend to get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done on the front end to help examiners with the equally critical soft skills which only arise after the experience of actual practice.  For that reason, watching a mentor deliver difficult messages or deal with emotional people is also an effective way to absorb good practices. ACFE training utilizes the role-playing of potentially troublesome presentations to a friendly group (say, the investigative staff) as another way to exercise one’s skills.

Delivering bad news is largely a matter of practice and experience, and it’s not something CFEs and forensic accountants have the choice to avoid. At the end of the day, examiners need to deliver our news verbally and in writing and to facilitate our clients understanding of it. The underlying objective is to ensure that the fact of the alleged fraud is adequately identified, reported and addressed, and that the associated risk is understood and effectively mitigated.

First Things First

About a decade ago, I attended a training session at the Virginia State Police training center conducted by James D. Ratley, then the training director for the ACFE. The training session contained some valuable advice for CFE’s and forensic accountants on immediate do’s and don’ts if an examiner strongly suspects the presence of employee perpetrated financial fraud within a client’s organization. Mr. Ratley’s counsel is as relevant today as it was then.

Ratley advised that every significant employee matter (whether a theft is involved or not) requires thoughtful examiner deliberation before any action is taken, since hasty moves will likely prove detrimental to both the investigator and to the client company. Consequently, knowing what should not be done if fraud is suspected is often more important to an eventual successful outcome than what should be done.

First, the investigator should not initially confront the employee with his or her suspicions until the investigator has first taken several important preliminary investigative steps.  Even when those steps have been taken, it may prove necessary to use a different method of informing the employee regarding her status, imminent material harm notwithstanding. False (or even valid) accusations can lead to defamation lawsuits or at the very least to an extremely uncomfortable work environment. The hasty investigator or management could offend an innocent person by questioning her integrity; consequently, your client company may never be able to regain that person’s trust or prior level of commitment. That downside is just one example of the collateral damage that can result from a fraud. Even if the employee is ultimately found to be guilty, an investigator’s insinuation gives him or her time to alter records and conceal the theft, and perhaps even siphon off more assets. It takes only a moment for an experienced person to erase a computer’s hard drive and shred documents. Although, virtually all business records can be reconstructed, reconstruction is a costly and time-consuming process that always aggravates an already stressful situation.

Second, as a rule, never terminate or suspend the suspect employee until the preliminary investigative steps referred to above have been taken.  The desire on the part of management to take decisive action is understandable, but hasty actions may be detrimental to the subsequent investigation and to the company. Furthermore, there may be certain advantages to continuing the person’s employment status for a brief period because his or her continued status might compel the suspect to take certain actions to your client’s or to the investigation’s benefit. This doesn’t apply to government employees since, unlike private sector employees, they cannot be compelled to participate in the investigation. There can be occasions, however, where it is necessary to immediately terminate the employee. For example, employees who serve in a position whose continued employment could put others at risk physically, financially, or otherwise may need to be terminated immediately. Such circumstances are rare, but if they do occur, management (and the CFE) should document the entire process and advise corporate counsel immediately.

Third, again, as a rule, the investigator should never share her initial suspicions with other employees unless their assistance is crucial, and then only if they are requested to maintain strict confidentiality.  The CFE places an arduous burden on anyone in whom s/he has confided. Asking an employee to shoulder such responsibilities is uncharted territory for nearly anyone (including for the examiner) and can aggravate an already stressful situation. An examiner may view the confidence placed in an employee as a reflection of his and management’s trust. However, the employee may view the uninvited responsibility as taking sides with management at the expense of his relationship with other employees. Consequently, this step should be taken only if necessary and, again, after consultation with counsel and management.

Regarding the do’s, Ratley recommended that the instant that an employee fraud matter surfaces, the investigator should begin continuous documentation of all pertinent investigation-related actions taken. Such documentation includes a chronological, written narrative composed with as much specificity as time permits. Its form can take many shapes, such as handwritten notes, Microsoft Word files, spreadsheets, emails to yourself or others, and/or relevant data captured in almost any other reproducible medium. This effort will, of course, be time consuming for management but is yet another example of the collateral damage resulting from almost any employee fraud. The documentation should also reference all direct and related costs and expenses incurred by the investigator and by the client company. This documentation will support insurance claims and be vital to a subsequent restitution process.  Other collateral business damages, such as the loss of customers, suppliers, or the negative fiscal impact on other employees may also merit documentation as appropriate.

Meetings with corporate counsel are also an important do.  An employee fraud situation is complex and fraught with risk for the investigator and for the client company. The circumstances can require broad and deep expertise in employment law, criminal law, insurance law, banking law, malpractice law, and various other legal concentrations. Fortunately, most corporate attorneys will acknowledge when they need to seek additional expertise beyond their own experience since a victim company counsel specializing in corporate matters may have little or no background in matters of fraud. Acknowledgment by an attorney that s/he needs additional expertise is a testament to his or her integrity. Furthermore, the client’s attorney may contribute value by participating throughout the duration of the investigation and possible prosecution and by bringing to bear his or her cumulative knowledge of the company to the benefit of the organization.

Next, depending on the nature of the fraud and on the degree of its fiscal impact, CFEs should meet with the client’s CPA firm but exercise caution. The client CPA may be well versed in their involvement with your client through their work on income taxes, audit, review, and compilations, but not in forensic analysis or fraud examination. Larger CPA firms may have departments that they claim specialize in financial forensics; the truth is that actual experience in these matters can vary widely. Furthermore, remember that the situation occurred under your client CPA’s watch, so the firm may not be free of conflict.

Finally, do determine from management as early as possible the range of actions it might want to take with respect to the suspect employee if subsequent investigation confirms the suspicion that fraud has indeed occurred.  Deciding how to handle the matter of what to do with the employee by relying upon advice from management and from the legal team can be quite helpful in shaping what investigative steps are taken subsequently. Ratley pointed out that the level and availability of evidence often drive actions relating to the suspect. For example, the best course of action for management may be to do nothing immediately, to closely monitor and document the employee’s activities, to suspend the employee with pay, or immediately terminate the suspect’s employment. There may be valid reasons to exercise any one of these options.

Let’s say the CFE is advised by management to merely monitor and document the employee’s activities since the CFE currently lacks sufficient evidence to suspend or terminate the employee immediately. The CFE and the client’s IT operation could both be integral parts of this option by designing a plan to protect the client from further loss while the investigation continues behind the scenes. The investigation can take place after hours or under the guise of an “efficiency audit,” “business planning,” or other designation. In any case, this option will probably require the investigator to devote substantial time to observe the employee and to concurrently conduct the investigation.   The CFE will either assemble sufficient evidence to proceed or conclude there is inadequate substantiation to support the accusation.

A fraud is a devastating event for any company but Mr. Ratley’s guidance about the first steps in an investigation of employee perpetrated financial fraud can help minimize the damage.  He concluded his remarks by making two additional points; first, few executives are familiar by experience with situations that require CFE or forensic accountant expertise; consequently, their often-well-meaning actions when confronted with the actuality of a fraud can result in costly mistakes regarding time, money and people. Although many such mistakes can be repaired given sufficient money and time, they are sometimes devastating and irrecoverable.  Second, attorneys, accountants and others in the service professions frequently lack sufficient experience to recognize the vast differences between civil and criminal processes.  Consequently, these professionals often can provide the best service to their corporate clients by referring and deferring to more capable fraud examination specialists like certified fraud examiners and experienced forensic accountants.

The Sword of Damocles

The media provide us with daily examples of the fact that technology is a double-edged sword. The technological advancements that make it easy for people with legitimate purposes to engage with our client businesses and governmental agencies also provide a mechanism for those bent on perpetrating theft and frauds of all kinds.

The access to services and information that customers have historically demanded has opened the flood gates through which disgruntled or unethical employees and criminals enter to commit fraud. Criminals are also exploiting the inadequacies of older fraud management policies or, in some instances, the overall lack thereof. Our parent organization, the Association of Certified Fraud Examiners (ACFE) has estimated that about 70 percent of all companies around the world experienced some type of fraud in 2016, with total global losses due to fraud exceeding US $4 trillion annually and expected to rise continually.  Organizations have incurred, on average, the loss of an estimated 7 percent of their annual revenues to fraud, with $994 billion of that total in the US alone. The ACFE has also noted that the frauds reported lasted a median length of 18 months before being detected. In addition to the direct impact of revenue loss, fraud erodes customer satisfaction and drains investments that could have been directed to corporate innovation and growth. Organizations entrusted with personally identifiable information are also held directly accountable in the eyes of the public for any breach. Surveys have shown that about one-third of fraud victims avoid merchants they blame for their victimization.

We assurance professionals know that criminals become continuously more sophisticated and the fraud they perpetrate increasingly complex. In response, the requirements for fraud risk management have significantly changed over the last few years. Fraud risk management is now not a by-product, but a purposeful choice intended to mitigate or eliminate an organizations’ exposure to the ethically challenged. Fraud risk management is no longer a “once and done” activity, but has become an on-going, ideally concurrent, program. As with all effective processes, it must be performed according to some design. To counter fraud, an organization must first understand its unique situation and the risk to which it may be exposed. This cannot be accomplished in a vacuum or through divination, but through structured analysis of an organization’s current state. Organizations are compelled by their increasingly cyber supported environments to establish an appropriate enterprise fraud risk management framework aligned with the organization’s strategic objectives and supported by a well-planned road map leading the organization to its properly defined target state of protection. Performing adequate analysis of the current state and projecting the organization goals considering that desired state is essential.  Analysis is the bedrock for implementation of any enterprise fraud risk management framework to effectively manage fraud risk.

Fraud risk management is thus both a top-down and a bottom-up process. It’s critical for an organization to establish and implement the right policies, processes, technology and supporting components within the organization and to diligently enforce these policies and processes collaboratively and consistently to fight fraud effectively across the organization. To counter fraud at an enterprise level, organizations should develop an integrated counter fraud program that enables information sharing and collaboration; the goal is to prevent first, detect early, respond effectively, monitor continuously and learn constantly. Counter fraud experience in both the public and for-profit sectors has resulted in the identification of a few critical factors for the successful implementation of enterprise-wide fraud risk management in the present era of advanced technology and big data.

The first is fraud risk management by design. Organizations like the ACFE have increasingly acknowledged the continuously emerging pattern of innovative frauds and the urgency on the part of all organizations to manage fraud risk on a daily, concurrent basis.  As a result, organizations have attempted implementation of the necessary management processes and solutions. However, it is not uncommon that our client organizations find themselves lacking in the critical support components of such a program.  Accordingly, their fraud risk mitigation efforts tend to be poorly coordinated and, sometimes, even reactionary. The fraud risk management capabilities and technology solutions in place are generally implemented in silos and disconnected across the organization.  To coordinate and guide the effort, the ACFE recommends implementation of the following key components:

— A rigorous risk assessment process — An organization must have an effective fraud risk assessment process to systematically identify significant fraud risk and to determine its individual exposure to such risk. The assessment may be integrated with an overall risk assessment or performed as a stand-alone exercise, but it should, at a minimum, include risk identification, risk likelihood, significance assessment and risk response; a component for fraud risk mitigation and implementation of compensating controls across the critical business processes composing the enterprise is also necessary for cost-effective fraud management.

–Effective governance and clearly defined organizational responsibilities — Organizations must commit to an effective governance process providing oversight of the fraud management process. The central fraud risk management program must be equipped with a clear charter and accountability that will provide direction and oversight for counter fraud efforts. The fraud risk must be managed enterprise-wide with transparency and communication integrated across the organization. The formally designated fraud risk program owner must be at a level from which clear management guidelines can be communicated and implemented.

–An integrated counter fraud framework and approach — An organization-wide counter fraud framework that covers the complete landscape of fraud management (from enterprise security, authentication, business process, and application policy and procedure controls, to transaction monitoring and management), should be established. What we should be looking for as CFEs in evaluating a client’s program is a comprehensive counter fraud approach to continually enhance the consistency and efficacy of fraud management processes and practices.

–A coordinated network of counter fraud capabilities — An organization needs a structured, coordinated system of interconnected capabilities (not a point solution) implemented through management planning and proper oversight and governance. The system should ideally leverage the capabilities of big data and consider a broad set of attributes (e.g., identity, relationships, behaviors, patterns, anomalies, visualization) across multiple processes and systems. It should be transparent across users and provide guidance and alerts that enable timely and smart anti-fraud related decisions across the organization.

Secondly, a risk-based approach. No contemporary organization gets to stand still on the path to fraud risk management. Criminals are not going to give organizations a time-out to plug any holes and upgrade their arsenal of analytical tools. Organizations must adopt a risk-based approach to address areas and processes of highest risk exposures immediately, while planning for future fraud prevention enhancements. Countering fraud is an ongoing and continually evolving process, and the journey to the desired target state is a balancing act across the organization.

Thirdly, continual organizational collaboration and systemic learning. Fraud detection and prevention is not merely an information-gathering exercise and technology adoption, but an entire life cycle with continuous feedback and improvement. It requires the organization’s commitment to, and implementation of continual systemic learning, data sharing, and communication. The organization also needs to periodically align the enterprise counter fraud program with its strategic plan.

Fourthly, big data and advanced analytics.  Technological breakthroughs and capabilities grounded in big data and analytics can help prevent and counter fraudulent acts that impact the bottom line and threaten brand value and customer retention. Big data technology can ingest data from any source, regardless of structure, volume or velocity. It can harness, filter and sift through terabytes of data, whether in motion or at rest, to identify and relate the elements of information that really matter to the detection of on-going as well as of potential frauds. Big data off-the-shelf solutions already provide the means to detect instances of fraud, waste, abuse, financial crimes, improper payments, and more. Big data solutions can also reduce complexity across lines of business and allow organizations to manage fraud pervasively throughout the entire life cycle of any business process.

In summary, smart organizations manage the sword of potential fraud threats with well-planned road maps supported by proper organization and governance.  They analyze their state to understand where they are, and implement an integrated framework of standard management processes to provide the guidance and methodology for effective, ethics based, concurrent anti-fraud practice. The management of fraud risk is an integral part of their overall risk culture; a support system of interconnected counter fraud capabilities integrated across systems and processes, enabled by a technology strategy and supporting formal enterprise level oversight and governance.

With a Little Help

by Rumbi Petrozzello, CPA/CFF, CFE
2018 Vice-President – Central Virginia Chapter ACFE

In November, my husband and I headed out to our usual spot, on Fourth Avenue in Brooklyn, to cheer for those running the New York marathon. A marathon, for those who don’t know, is 26.2 miles long. People who complete marathons get nothing but respect from me – success in marathoning only comes with a lot of dedication and training. Many people spend at least six months following a training plan that is not just about building distance. For instance, when learning (and it is learning) how to complete 26.2 miles of running (or walking for that matter) people must learn how to remain fueled and hydrated while running. This training also then applies to making lifestyle adjustments such as changing one’s diet and sleeping habits. Years ago, when I was training for the New York Marathon, friends knew to not call after 10PM because I was going to bed early to get enough sleep before early morning runs. I tried not to go out on Friday nights, because I went on my long runs on Saturday mornings and wanted to be energized for them. I spent a lot of time and energy doing research, talking to friends who were seasoned runners and even took running classes to improve my performance and chances of success during the race. Despite the very popular tag line “Just Do It”, a lot of work goes into even getting to that point.

The past few months, I have been doing quite a bit of work that involves assessing the controls that companies have over their systems to detect, deter and prevent fraud and error. Going in, the time energy and money that companies have put into all of this is impressive. They will have an audit committee, an internal audit function and a lot of documentation around what their systems are. There will be volumes of documentation on procedures and protocols and, at the very least, on paper, things look fantastic. However, when we start talking to employees about what their reality is, things often are very different. Some of the issues we found included:

• Staff who did not quite understand what some technical terms meant and, so ignored the parts they didn’t understand. We spoke with people who were very happy to perform and review controls, but they didn’t know how best to do that, and no one was telling them the how;

• Some staff did not understand why they were being asked to change things and, believing that what they had been doing for years constituted a good system, stuck with that;

• In some cases, it wasn’t clear just who was responsible for ownership of a process and that meant, often, that nothing ended up getting done;

• In other instances, staff were given such vague instructions that they resorted to making it up as they went along.

Having the rules is completely useless if your people don’t know what do with them and, just as importantly, why they’re doing what they’ve been asked to do in the first place. What is vital in all of this, is the proper training. As CFEs and Forensic Accountants, we are perfectly positioned to work with clients to ensure that controls and systems go beyond theory. So it’s vitally important for success to constantly work with clients to strengthen systems and controls. This can be done by recommending that our corporate clients:

• Provide training to employees. This training must include the identification of control owners and then the process of working directly with them to ensure that they understand what their roles are and specifically why they need to follow the steps being asked of them. Sometimes, when a control owner is given a requested role, they are told to “review” something. Review can mean anything and often what some people consider to be a review is insufficient for complete understanding. For instance, an employee may think that merely saying they checked something is sufficient. Or that having a verbal conversation is enough proof of review. Be sure to recommend to clients that they let employees know that there should be written evidence of a mandated review and to be equally sure to provide clear examples of what qualifies as evidence of that review.

• Review systems and controls to ensure that they address risks. A company may institute many systems and related procedures but, upon review, a CFE or forensic accountant may find inadequate segregation of duties. You may find that a supervisor is checking a team’s work, but no one is authorizing that supervisor’s. This becomes particularly risky if that supervisor has access to many aspects of the business. A CFE or forensic accountant, can review roles and duties to ensure that duties are sufficiently segregated.

• Training should be ongoing and updated for changes in the company as well as changes in technology and processes. At least once a year, employees should receive updated training and performance reviews. In this way, companies can also learn if there have been material changes that might lead to systems and processes having been adjusted in such a way as to create weakness and holes that could lead to future fraud or error.

It’s all well and good to have ads where famous people run, jump and play and tell you to “just do it”. I remember people rolling their eyes at me when I mentioned that I was dashing to running class – why do you have to learn how to run? Doesn’t everyone know how to do that? Yes, I could run, but with training, I ran a better marathon and lived to tell the tale (unlike the original guy). Yes, employees may know how to do the compliance and control work but as a CFE or forensic accountant, you can help a client company work with their employees to perform their work better, be aware of controls and be cognizant of risk and how to mitigate it. It’s so much better than just doing it.

Internal Auditors as Fraud Auditors

Although fraud prevention is always more effective and less costly than fraud detection (and subsequent investigation), unfortunately prevention is not always possible. That’s why, as CFE’s and forensic accountants we should all be heavy promoters (and supporters) of client internal audit functions.  That is also why we should make it a goal that all employees of our client companies be trained in how to identify the major red flags of fraud they may encounter in their daily activities. Mastering key detection techniques is doubly essential for the internal audit and financial professionals employed by those same enterprises. Our Chapter has long preached that once internal auditors and financial managers know what to look for, there is an enhanced chance that fraud or suspicious activity will be detected one way or another, but only if the organization has the proper monitoring, reporting, and auditing procedures in place.

With that said, many organizations require internal audits of specific business processes and units only once every two or three years. In an age when so much can change so quickly in an internet dominated world, this approach is not the most effective insofar as fraud detection and prevention are concerned. This is especially so because conventional audits were most often not designed to detect fraud in the first place, usually focusing on specified groups of internal controls or compliance with existing policies, laws and regulations. That’s why the ACFE and Institute of Internal Auditors (IIA) now recommend that a fraud risk assessment (FRA) be conducted annually and that the fraud-auditing procedures designed to detect red flags in the high-risk areas identified by the FRA be incorporated into internal audit plans immediately.

There is often a fine line between detection and prevention. In fact, some detection steps overlap with prevention methods, as in the case of conflict of interest, where enforcing a management financial disclosure policy may both detect conflicting financial interests and prevent frauds resulting from them by virtue of the actual detection of the relationships. In most organizations, however, carefully assessing the description of prevention and detection controls demonstrates that there is usually a clear distinction between the two.

The IIA tell us that the internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguarding assets; unreliable financial reporting; and deviations from laws, regulations, and institutional policies. When properly designed and implemented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system, facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scope of its activities.

This is a complex way of saying that our client’s internal audit function should focus on monitoring the institution’s internal controls, which, although not mentioned explicitly, include controls specifically designed to prevent fraud.  To effectively assess anti-fraud controls, auditors first must exercise detection techniques and procedures that confirm the existence of red flags or actual evidence of potential fraud in the risk areas identified by the FRA.

The Chief Internal Auditor is typically responsible for the following:

–Performing, or contracting for, a control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in each business line, the mitigating control processes, and the resulting residual risk exposure;

–An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summaries within each business activity, the timing and frequency of internal audit work, and the resource budget;

–An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review;

–An audit report presenting the purpose, scope, and results of each audit. Work papers should be maintained to document the work performed and support audit findings.

There is a joint ACFE-IIA-AICPA document with which every CFE should be familiar.  ‘The Business Risk of Fraud’ provides clarity about the internal auditor’s role in detecting fraud in our client organization’s operations and financial statements. Specifically, the document states that internal auditors should consider the organization’s assessment of fraud risk when developing their annual audit plan and periodically assess management’s fraud detection capabilities. They should also interview and regularly communicate with those conducting the assessments, as well as with others in key positions throughout the company, to help them assess whether all fraud risks have been considered. Moreover, according to the document, when performing audits, internal auditors should devote sufficient time and attention to evaluating the “design and operation” of internal controls related to preventing and detecting significant fraud risks. They should exercise professional skepticism when reviewing activities to be on guard for the signs of potential fraud. Potential frauds uncovered during an engagement should be treated in accordance with a well-defined response plan consistent with professional and legal standards.

Among the most helpful guides for CFEs to recommend to clients for their internal auditors use in planning a detailed audit to detect fraud is the all-important SAS 99 which contains key fraud detection techniques including guidance on the performance of certain financial ratio analysis. Analytical procedures performed during planning may be helpful in identifying the risks of material misstatement due to fraud. However, because such analytical procedures generally use data aggregated at a high level, the results of those analytical procedures provide only a broad initial indication about whether a material misstatement of the financial statements may exist. Accordingly, the results of analytical procedures performed during planning should be considered along with other information gathered by the auditor in identifying the risks of material misstatement due to fraud.

SAS 99 was formulated with the aim of detecting fraud that has a direct impact on “material misstatement.” Essentially this means that anything in the organization’s financial activities that could result in fraud-related misstatements in its financial records should be audited for by using SAS 99 as a guide. SAS 99 breaks down the potential fraudulent causes of material misstatement into two categories:

1. Misstatement due to fraudulent financial reporting (i.e., “book cooking”);

2. Misstatement due to misappropriation of assets (i.e., theft).

The fraud auditing procedures of SAS 99, or of any other reputable audit guidance, can greatly assist internal auditors in distinguishing between actual fraud and error. Often the two have similar characteristics, with the key difference being that of the existence or absence of intent. Toward this end, SAS 99 and other key fraud auditing guidelines provide detailed procedures for gathering evidence of potential fraud based on the lists of fraud risks resulting from the client’s FRA. As SAS 99 states:

‘SAS 99. . . strongly recommend[s] direct involvement by internal auditors in the organization’s fraud-auditing efforts: Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted audit techniques to detect types of fraud. Internal auditors also can employ analytical and other procedures to isolate anomalies and perform detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, enabling them to express any concerns about management’s commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.

Specifically, SAS 99 provides a set of audit responses designed to gather hard evidence of potential fraud that could exist based on what the client organization learned from its FRA. These responses are critical to the auditor’s success in identifying clear red flags of potential fraud in our client’s operations. The responses are wide ranging and include anything from the application of appropriate ratio analytics, to thorough and detailed testing of controls governing specific business process procedures, to the analysis of anomalies in vendor or customer account activity. There are three broad categories into which such detailed internal audit fraud auditing responses fall:

1. The nature of auditing procedures performed may need to be changed to obtain evidence that is more reliable or to obtain additional corroborative information;
2. The timing of substantive tests may need to be modified. The auditor might conclude that substantive testing should be performed at or near the end of the reporting period to best address an identified risk of material misstatement due to fraud;
3. The extent of the procedures applied should reflect the assessment of the risks of material misstatement due to fraud. For example, increasing sample sizes or performing analytical procedures at a more detailed level may be appropriate.

The contribution of a fully staffed and management-supported internal audit function to a subsequent CFE conducted fraud examination can be extraordinary and its value never overstated; no client fraud prevention and detection program should ever be considered complete without one.

A Blueprint for Fraud Risk Assessment

It appears that several of our Chapter members have been requested these last few months to assist their employers in conducting several types of fraud risk assessments. They usually do so as the Certified Fraud Examiner (CFE) member of their employing company’s internal audit-lead assessment team.   There is a consensus emerging among anti-fraud experts that conducting a fraud risk assessment (FRA) is critical to the process of detecting, and ultimately designing controls to prevent the ever-evolving types of fraud threatening organizations.

The ACFE tells us that FRAs do not necessarily specify what types of fraud are occurring in an organization. Instead, they are designed to focus detection efforts on specific fraud schemes and scenarios that could occur as well as on incidents that are known to have occurred in the past. Once these are identified, the audit team can proceed with the series of basic and specific fraud detection exercises that broad experience has shown to be effective. The objective of these exercises is to hopefully reveal the specific fraud schemes to which the organization is most exposed. This information will enable the organization’s audit team to recommend to management and to support the implementation of antifraud controls designed to address exactly those risks that have been identified.  It’s important to emphasize that fraud risk assessments are not meant to prevent fraud directly in and of themselves. They are exercises for identifying those specific fraud schemes and scenarios to which an organization is most vulnerable. That information is in turn used to conduct fraud audit exercises to highlight the circumstances that have allowed actual, known past frauds to occur or to blueprint future frauds that could occur so that the necessary controls can be put in place to prevent similar future illegal activity.

In the past, those FRAs that were conducted were usually performed by the firm’s external auditors. Increasingly, however, internal audit departments are being pressured by senior management to conduct FRAs of their own. Since internal audit departments are increasingly employing CFEs or have their expertise available to them through other company departments (like loss prevention or security), this effort can be effective since internal auditors have the tenure and experience with their organizations to know better than anyone how its financial and business operations function and can understand more readily how fraud could occur in particular processes, transactions, and business cycles.

Internal audit employed CFE’s and CIA’s aren’t involved by requirement of their professional standards in daily operations and can, therefore, provide an independent check on their organization’s overall risk management process. Audits can be considered a second channel of information on how well the enterprise’s anti-fraud controls are functioning and whether there are any deficiencies that need to be corrected.  To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or to the board of directors and not to the chief executive officer or company president who may have responsibility for her company’s internal controls.

The Institute of Internal Auditors has endorsed audit standards that outline the techniques and procedures for conducting an FRA, specifically those contained in Statement of Auditing Standards 99 (SAS 99). By this (and other) key guidelines, an FRA is meant to assist auditors and/or fraud examiners in adjusting their audit and investigation plans to focus on gathering evidence of potential fraud schemes and scenarios identified by the FRA.

Responding to FRA findings requires the auditor to adjust the timing, nature, and extent of testing in such ways as:

• Performing procedures at physical locations on a surprise or unannounced basis by, for example, counting cash at different subsidiary locations on a surprise basis or reviewing loan portfolios of random loan officers or divisions of a savings and loan on a surprise basis;
• Requesting that financial performance data be evaluated at the end of the reporting period or on a date closer to period-end, in order, for example, to minimize the risk of manipulation of records in the period between the dates of account closings and the end of the reporting period;
• Making oral inquiries of major customers and vendors in addition to sending written confirmations, or sending confirmation requests to a specific party within vendor or customer organization;
• Performing substantive analytical procedures using disaggregated data by, for example, comparing gross profit or operating margins by branch office, type of service, line of business, or month to auditor-developed expectations;
• Interviewing personnel involved in activities in areas where a risk of material misstatement due to fraud has been identified in the past (such as at the country or regional level) to obtain their insights about the risk and how controls could address the risk.

CFE team members can make a substantial contribution to the internal audit lead team effort since it’s essential that financial operations managers and internal audit professionals understand how to conduct an FRA and to thoroughly assess the organization’s exposure to specific frauds. That contribution can add value to management’s eventual formulation and implementation of specific, customized controls designed to mitigate each type of fraud risk identified in the FRA. These are the measures that go beyond the basic, essential control checklists followed by many external auditors; they optimize the organization’s defenses against these risks. As such, they must vary from organization to organization, in accordance with the particular processes and procedures that are identified as vulnerable to fraud.

As an example, company A may process invoices in such a tightly controlled way, with double or triple approvals of new vendors, manual review of all invoices, and so on, that an FRA reveals few if any areas where red flags of vendor fraud can be identified. Company B, on the other hand, may process invoices simply by having the appropriate department head review and approve them. In the latter case, an FRA would raise red flags of potential fraud that could occur through double billing, sham company schemes, or collusion between a dishonest vendor and a company insider. For that reason, SAS 99 indicates that some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls, and other procedures that are needed to mitigate the identified risks. Effective internal controls will include a well-developed control environment, an effective and secure information system, and appropriate control and monitoring activities. Because of the importance of information technology in supporting operations and the processing of transactions, management also needs to implement and maintain appropriate controls, whether automated or manual, over computer generated information.

The ACFE tells us that the heart of an effective internal controls system and the effectiveness of an anti-fraud program are contingent on an effective risk management assessment.  Although conducting an FRA is not terribly difficult, it does require careful planning and methodical execution. The structure and culture of the organization dictate how the FRA is formulated. In general, however, there is a basic, generally accepted form of the FRA that the audit and fraud prevention communities have agreed on and about which every experienced CFE is expected to be knowledgeable. Assessing the likelihood and significance of each potential fraud risk is a subjective process that should consider not only monetary significance, but also significance to an organization’s reputation and its legal and regulatory compliance requirements. An initial assessment of fraud risk should consider the inherent risk of a particular fraud in the absence of any known controls that may address the risk. An organization can cost-effectively manage its fraud risks by assessing the likelihood and significance of fraudulent behavior.

The FRA team should include a senior internal auditor (or the chief internal auditor, if feasible) and/or an experienced inside or outside certified fraud examiner with substantial experience in conducting FRAs for organizations in the company’s industry.  The management of the internal audit department should prepare a plan for all the assignments to be performed. The audit plan includes the timing and frequency of planned internal audit work. This audit plan is based on a methodical control risk assessment A control risk assessment documents the internal auditor’s understanding of the institution’s significant activities and their associated risks. The management of the internal audit department should establish the principles of the risk assessment methodology in writing and regularly update them to reflect changes to the system of internal control or work process, and to incorporate new lines of business. The risk analysis examines all the entity’s activities, and the complete internal control system. Based on the results of the risk analysis, an audit plan for several years is established, considering the degree of risk inherent in the activities. The plan also considers expected developments and innovations, the generally higher degree of risk of new activities, and the intention to audit all significant activities and entities within a reasonable time period (audit cycle principle for example, three
years). All those concerns will determine the extent, nature and frequency of the assignments to be performed.

In summary…

• A fraud risk assessment is an analysis of an organization’s risks of being victimized by specific types of fraud;
• Approaches to FRAs will differ from organization to organization, but most FRAs focus on identifying fraud risks in six key categories:
— Fraudulent financial reporting;
— Misappropriation of assets;
— Expenditures and liabilities for an improper purpose;
— Revenue and assets obtained by fraud;
— Costs and expenses avoided by fraud;
— Financial misconduct by senior management.
• A properly conducted FRA guides auditors in adjusting their audit plans and testing to focus specifically on gathering evidence of possible fraud;
• The capability to conduct an FRA is essential to effective assessment of the viability of existing anti-fraud controls and to strengthen the organization’s inadequate controls, as identified by the results of the FRA;
• In addition to assessing the types of fraud for which the organization is at risk, the FRA assesses the likelihood that each of those frauds might occur;
• After the FRA and subsequent fraud auditing work is completed, the FRA team should have a good idea of the specific controls needed to minimize the organization’s vulnerability to fraud;
• Auditing for fraud is a critical next step after assessing fraud risks, and this requires auditing for evidence of frauds that may exist according to the red flags identified by the FRA.

Write & Wrong

It’s an adage in the auditing world that examination results that can’t be effectively communicated might as well not exist.  Unlike a financial statement audit report, the CFE’s final report presents a unique challenge because there is no standardized format. Our Chapter receives more general inquiries from new practitioners about the form and content of final examination reports than about almost any other topic.

Each fraud investigation report is different in structure and content, depending on the nature and results of the assignment and the information that needs to be communicated, as well as to whom the results are being directed. To be effective, therefore, the report must communicate the findings in an accurate and concise form. Corporate counsel, law enforcement, juries, an employing attorney and/or the audit committee and management of the victimized organization must all be able to delineate and understand the factual aspects of the fraud as well as the related risks and control deficiencies discovered so that appropriate actions can be taken timely. Thus, the choice of words used and the tone of the CFE’s final report are as important as the information presented within it. To help ensure their reports are persuasive and bring positive results, CFEs should strive to keep them specific, meaningful, actionable, results oriented, and timely.

Because the goal of the final report is to ensure that the user can interpret the results of the investigation or analysis with accuracy and according to the intentions of the fraud examiner or forensic accountant, the report’s tone and structure are paramount. The report should begin by aligning issues and recommendations with applicable ACFE and with any other applicable professional standards and end with results that are clearly written and timely presented. To ensure quality and accuracy, there are some basic guidelines or ground rules that authorities recommend should be considered when putting together a final report that adds value.

The CFE should consider carefully what specifically to communicate in the report, including the conditions, cause, effect, and “why” of each of the significant fraud related facts uncovered.  Fraud investigators should always identify and address issues in a specific context rather than in broad or general terms. For example, stating that the fraud resulted from weaknesses in the collection and processing of vendor payment receipts is too broad. The report should identify the exact circumstances and the related control issues and risk factors identified, the nature of the findings, an analysis of the specific actions constituting the fraud and some discussion (if the CFE has been requested to do so) of possible corrective actions that might be taken.

To force the writing toward more specificity, each paragraph of the report should express only one finding, with major points enumerated, or bulleted, and parallel structure should be used for each itemized statement of a listing of items. Further, the most important findings should be listed in the first sentence of a paragraph. Once findings are delineated, the explanatory narration of facts aligned to each finding should be presented. Being specific means leaving nothing to the
user’s interpretation beyond that which is intended by the writer.  Another way to achieve specificity is to align the writing of the report to an existing control framework like the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) internal control or risk management frameworks. When issues are aligned with existing standards or to a framework, it can be easier for the CFE to explain the weaknesses in the client’s control environment that made the fraud possible.

The question to be answered is: Can the client(s) readily tell what the issues are by reading the investigative report alone? If the answer is “no,” how will they satisfactorily address areas the client will eventually deem important in moving forward toward either remediation or possible prosecution? This aspect of the writing process requires the practitioner to, first, identify to whom the final report is specifically directed and, second, determine what is to be communicated that will add value for the client. For example, the report may a communication to an employing attorney, to corporate counsel, to the client’s management or audit committee or to all three. What are their expectations? Is the report the result of a routine investigation requested by client management of possible accounts payable fraud or a special investigation to address a suspected, specifically identified fraud? The answer to these and related questions will help determine the appropriate technical level and tone for the report.

When there are different readers of the report, the process necessarily becomes more complex under the necessity to meet the expectations, understandings and eventual usages of all the parties. Finding the right words to address the identified fraud related facts in a positive tone, especially when client conditions surrounding the fraud are sometimes sensitive or at least not favorable, is crucial to making the report meaningful as well as persuasive. The investigative findings must be clear and logical. If the reported results are understood and meaningful actions that add value to the position of the various users are taken because of the findings, then the purpose and meaning of the CFE’s report (and work) will be realized.

What about investigative situations in which the CFE or forensic accountant is asked to move beyond a straight-forward presentation of the facts and, as an expert on fraud and on fraud prevention, make recommendations as to corrective actions that the client might take to forestall the future commission of frauds similar to those dealt with in the final report? In such cases (which are quite common, especially with larger clients), the final report should strive to demonstrate to the extent possible the capacity of the entity to implement the recommendations the CFE has included in the report and still maintain an acceptable level of operation.  To this end, the requested recommended actions should be written in a way that conveys to management that implementing the recommendations will strengthen the organization’s overall fraud prevention capability. The writing, as well as the complexity of the corrective action, should position the client organization to implement recommendations to strengthen fraud prevention. The report should begin with the most critical issue and progress to the least important and move from the easiest recommended corrective steps to the most difficult, or to the sequence of steps to implement a recommendation. The cost to correct the fraud vulnerability should be
apparent and easily determined in the written report. Additionally, the report should provide management with a rubric to evaluate the extent to which a deficiency is corrected (e.g., minimally corrected, fully corrected). Such a guide can be used to gauge the fraud prevention related decisions of management and serve as a basis for future fraud risk assessments.

Developing the CFE’s final report is a process that involves four stages: outlining, drafting, revising, and editing. In the outlining stage, the practitioner should gather and organize the information so that, when converted to a report, it is easy for the reader to follow. This entails reviewing the working papers and making a list of the fraud related facts to be addressed and of their related chronologies. These should be discussed with the investigative team (if any) and the
client attorney, if necessary, to ensure that there is a clear understanding of the underlying facts of the case. Any further work or research should be completed at this stage. This process may be simple or complicated, depending on the extent of the investigation, the unit or operation that is under examination, and the number of fraud related facts that must be addressed.

Once all information has been gathered, the next stage is writing the draft of the report. In completing the draft, concise and coherent statements with sufficient detail should enable the reader to understand the chronology and related facts of the fraud, the fraud’s impact on operations, and the proposed corrective actions (if requested by the client). After completing the draft, revisions may be necessary to make sure that the evidence supports the results and is written in a specific context.

The final stage involves proofreading and editing for correct grammar, sentence structure, and word usage to ensure that the facts and issues related to the fraud are effectively and completely presented and that the report is coherent. Reviewers should be used at this stage to give constructive feedback. Several iterations may be necessary before a final report is completed.

In summary, the CFE’s final report should be designed to add value and to guide the client organization’s subsequent steps to a satisfactory overall fraud response and conclusion. If the CFE’s report is deficient in communicating results, critical follow-on steps requiring immediate action may be skipped or ignored. This can be costly for any company in lost opportunities for loss recoveries, botched prosecutions and damaged reputation.